Solved: IPS/IDS - Firepower ( Intrusions Events )

sahrizal123 · ‎12-06-2016

Hi,

Im new to firesight firepower...my vendor just install new firewall 5516-x with IPS/IDS firepower...

Currently No policy to IPS/IDS...

Based on GUI i detected Intrusions Events as below..kindly advice what can we do with this attack...we should block the source IP attack at firewall or create policy at IPS/IDS and block the source ip attacker........ ?

## Attached is the my intrusions event screenshot..

nspasov · ‎12-08-2016

Hi again. Answers below:

- May i know if we can monitor the root cause of high bandwidth at FMS ? ( based on my understanding only can monitor connection )

NS: Yes, you can run reports and get that information. Also, you should be able to gather that information from your Dashboard (if you have that particular widget added). Lastly, you can check the "Network Information" widget located under Analysis > Context Explorer. That widget will show you Top traffic by IP, User, etc.

- Why my Analysis > Content show no data..many info show no data...is it common ?

NS: Seeing no data there is good news and what you want :) That widget will display information for hosts that were potentially compromised via a successful attack and/or malware.

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-07-2016

This type of info/attacks can be pretty common. If your company/resources are available on the internet then you will see attacks against them. The good news here is that you have put controls in place to block such attacks :)

With that said, yes, you can configure FMC to completely block those IP addresses. You can even create a rule that blocks IPs based on geolocations. For instance, you can block China or even Asia all together if you know for a fact that your company does not have any business ties with that country/continent.

Now while this may sound like a good idea it does have some pitfalls. For instance, hackers often use proxies and VPNs to hide their original IPs. Others may use infected/compromised machines to launch their attacks. Thus, you might end up blacklisting legitimate IPs/businesses. Also, geolocation information is not always accurate. Thus, even though FMC is showing that the IP is based out of China, it could very well be based out of Singapore :)

So, my recommendation here is to monitor those alerts in FMC. If you have IPs that have multiple hits through extended period of time then you can configure a rule to completely block those. You can also gather information about the IP and report it to the "abuse" department of the ISP hosting it.

I hope this helps!

Thank you for rating helpful posts!

sahrizal123 · ‎12-07-2016

Thank you Neno Spasov for great explaination :)

- My next step is to monitor if the attack count increase or not based on the source IP...

- May i know if we can monitor the root cause of high bandwidth at FMS ? ( based on my understanding only can monitor connection )

- Why my Analysis > Content show no data..many info show no data...is it common ?

## Attached is the screenshot...

nspasov · ‎12-08-2016

Hi again. Answers below:

- May i know if we can monitor the root cause of high bandwidth at FMS ? ( based on my understanding only can monitor connection )

NS: Yes, you can run reports and get that information. Also, you should be able to gather that information from your Dashboard (if you have that particular widget added). Lastly, you can check the "Network Information" widget located under Analysis > Context Explorer. That widget will show you Top traffic by IP, User, etc.

- Why my Analysis > Content show no data..many info show no data...is it common ?

NS: Seeing no data there is good news and what you want :) That widget will display information for hosts that were potentially compromised via a successful attack and/or malware.

Thank you for rating helpful posts!