actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
anyone face this issue ??
This requires a bit more information.
Are thee users based on the inside network and they are browsing the internet?
Can i ask which signatures the IPS is firing?
Thanks for your reply.
the users are in the inside network and they are browsing internet.
The signatures that is fired by the IPS is:
3002 TCP SYN Port sweep
3010 TCP High Port sweep
Ok - and so what is the source address of the attacker? Is it the internal hosts? one host or many and where are they trying to scan?
The source addresses of the attackers is the internal users (10.3.40.x)and (10.3.50.x) and the victim is a real ip addresses which is unknown
this signature is fired for some internal users not all.
Have you checked your PC's for Viruses?
They should not be scanning random IP Addresses like that?
i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.
As i said before the signature action is "deny connection inline"
Ideally your customer needs to check his machines. The signature can be disabled purely for these hosts, but i wouldn't recommend that as it defeats the point of having the IPS in place.
He ideally needs to check his hosts for viruses :-)
surely , the customer will do that.
My question is that if the signature action is "deny connection inline" , is that will deny the attacker totally or not???
No, it will deny only the single connection from the host. But the host will then create a new connection and that will then be blocked (if it fires a signature rule). if the connection to the internet is legitimate this will not be blocked as it is a new connection.
To block the host completley this will be 'deny attacker inline'.
I agree with you regarding that.
But although the signature action is "deny connection inline" , the internal user (attacker address) is totally denied.
Do you have any recommendations to know the reason for that??
Right now I'm preparing the IPS Exam, and I have read some where that:
"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
You can tune the Signature to solve this issue, but this will not solve the main problem.
But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
I hope this helpful.