08-23-2010 06:24 AM - edited 03-10-2019 05:06 AM
I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured. I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message. I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.
It's not a major issue, but I do find it kind of odd. Any ideas?
The IPS is an ASA-SSM-20 running 7.0(4)E4.
Solved! Go to Solution.
08-23-2010 08:43 AM
Hi,
The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'. This is by design of the software.
Regards,
Chris
08-23-2010 08:30 AM
Hi,
That's weird. Can you paste the details of the custom signature you have created?
Regards,
Prapanch
08-23-2010 08:37 AM
Here you go:
signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name MS10-046
sig-string-info .pif or .lnk file extension matching
sig-comment http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
exit
engine service-http
event-action produce-alert|deny-packet-inline
regex
specify-uri-regex yes
uri-regex \.([Ll][Nn][Kk]|[Pp][Ii][Ff])
exit
exit
service-ports 80,8080
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode fire-once
exit
08-23-2010 08:43 AM
Hi,
The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'. This is by design of the software.
Regards,
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: