Solved: Actions Occuring That Are Not Assigned

terrygwazdosky · ‎08-23-2010

I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured. I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message. I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.

It's not a major issue, but I do find it kind of odd. Any ideas?

The IPS is an ASA-SSM-20 running 7.0(4)E4.

cvilleme · ‎08-23-2010

Hi,

The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'. This is by design of the software.

Regards,
Chris

View solution in original post

praprama · ‎08-23-2010

Hi,

That's weird. Can you paste the details of the custom signature you have created?

Regards,

Prapanch

terrygwazdosky · ‎08-23-2010

Here you go:

signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name MS10-046
sig-string-info .pif or .lnk file extension matching
sig-comment http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
exit
engine service-http
event-action produce-alert|deny-packet-inline
regex
specify-uri-regex yes
uri-regex \.([Ll][Nn][Kk]|[Pp][Ii][Ff])
exit
exit
service-ports 80,8080
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode fire-once
exit

cvilleme · ‎08-23-2010

Hi,

The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'. This is by design of the software.

Regards,
Chris