I have an ASA with the SSM IPS module in it. I must be doing something wrong because all of my events are showing my internal addresses as attackers and the external addresses as the victims. We do have citrix servers that we use and so I am getting a lot of tcp syn scans coming from those boxes (which makes sense). I guess my question is there something like the HOME network on snort where you can essentially say ignore my internal addresses as attackers? I know that is a little extreme in configuration but I just need to make sure I haven't misconfigured something here. Any help would be greatly appreciated.
Don't worry, you have not misconfigured anything, this is normal. The attackers and victims are assigned based on teh signature. If you feel the attack really is in the incomming direction (as opposed to it being a false positive), you can swap attacker and victim IP in the signature settings on a sig by sig basis.
Otherwise you can write an Event Action Filter that could prevent alerting on internal hosts being the attackers, but this needs to be done carefully so you don't ignore bad hosts in your network.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...