07-16-2010 07:32 AM - edited 03-10-2019 05:03 AM
Hello,
I need to know how the IPS makes decision on putting the attacker IP in the denied attackers and is there a way to monitor what was the signature that triggered it.
The case I have is an IPS protecing the WAN zone, it's adding for no reason legitimate IP addresses in the denied attackers pane wihtout knowing what caused the IPS to put them in the denied attackers pane.When I create an event action filter and removes the deny attacker inline from all signatures for that specific IP the issue is resolved, but we don't want this workaround since the customer wants to be restrictive in its policy
Regards
07-16-2010 09:35 AM
Hello,
From your descripition, I assume that the signature causing the deny-attacker action event is not actually creating an alert. You have a few different tools that can help you identify what signature is executing the deny-attacker action.
- Signature configuration view filtering (Configuration -> Policies -> Signature Definitions -> sig0 -> All Signatures)
- Virtual Sensor statistics (Configuration -> Sensor Monitoring -> Support Information -> Statistics -> scroll down to section "Virtual Sensor Statistics" and look for the signature firing counts
- Event Action Overrides (** use this with caution **)
Signature configuration view filtering
Unless your signatures are significantly tuned, you will only have a few configured with the deny-X action. Go into the signature configuration area of IME and filter on Action -> Deny X (where X is any of the Deny Actions). This will help you identify what signatures are potentially executing the deny-attacker action.
Virtual Sensor statistics
Looking at the signature event count will show you what signatures are eventing, but may not be alerting (no Produce-Alert action set). This will lead you to what signatures are potentially executing the deny-attacker action.
Event Action Overrides
Caution, Caution, Caution: If your sensor is reasonably busy, this will cause many alerts to be generated. Use only for troubleshooting and only if you do not normally see a high event rate.
You can configure an Event Action Override of Product Alert *only* for the signatures you see firing in the Virtual Sensor statistics in the time that the deny-attacker action has been executed. This will cause the deny-attacker signature to alert and you can see the deny-attacker action in the event data.
Please let me know if I understand your issue correctly and if the above information helps.
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-16-2010 10:37 AM
Hello,
Thanks for your answer, you understood the issue correctly yes but I need one more clarification: you mean that the issue could potentially be a signature set to deny attackers for instance but not to produce alert right?
If I got you well that would be the most probable cause, i'll check it at the customer's premises and advise
Thanks a lot for your help!
Regards
07-16-2010 02:07 PM
Hello,
Yes, a signature with the deny-attacker action set, but not the produce-alert action set is a quite probable cause of the issue you describe.
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide