03-12-2010 01:08 PM - edited 03-10-2019 04:55 AM
Hi,
I am doing some NMAP regular recoinnassance tests through our ASA w/IPS. These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003. Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.
Please assist.
03-16-2010 01:23 PM
You can customize the signature based on TCP.
PK
03-17-2010 12:23 PM
Mark,
Have you modified the ASA's ACLs to allow all ports? Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.
03-18-2010 11:54 AM
Hi,
No ACL dropping packets. With the IPS on in fail-open, nmap scans still go through.
Please advise.
03-18-2010 09:46 PM
Is the IPS configured in promiscuous or inline mode?
What is the event action for the signature# that matches the NMAP traffic?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide