Re: Exclude hosts from IDS?

ericb_summit · ‎06-14-2010

Hi,

I have an ASA5520 with AIP-SSM module. I inspect in promiscuous mode. Security vulnerability scans create tons of alerts in the IDS system. I'd like to exclude certain IP addresses from the IDS. I tried to modify the inspection policy in ASDM but according to packet trace the packets still go through the IDS.

What's the easiest way to do this?

Thanks

edadios · ‎06-14-2010

Does the IPS actually still generate alerts for the host, though the class-map has been modified for the specific host traffic not to be sent to the AIP?

Check the packet tracer output, as you may have misread it.

This are sample outputs

1) If the ACL sends traffic for the AIP

Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82d6258, priority=50, domain=ids, deny=false

###### Notice how it says DENY=FALSE >> so send to IPS #####

2) If the ACL does not send traffic to the AIP

Phase: 3
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82d8528, priority=50, domain=ids, deny=true

##### Notice how it says DENY=TRUE >> so do not send to IDS #####

Another way way for accomplishing this is to create event action filter on the AIP itself.

Here is the documentation for it.

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2034816

Regards,

ericb_summit · ‎06-15-2010

What packet tracer are you using? I don't see this info in ASDM:

"Additional Information:

Forward Flow based lookup yields rule:
in id=0xd82d6258, priority=50, domain=ids, deny=false"

I am looking at the Service Policy Rules..

The first one is "outside-policy" for "outside-class". In there I have 2 acl.

First one is "do not match" from the netblock I don't want to inspect to any, with rule action ips.

Second one is "match" any any, with rule action ips.

Does this look right?

Second one is "globla_policy" "inspection_default", and that has default-inspections with 13 inspect actions.

I hope this means that in addition to IPS, the inspect action are also run for traffic coming in?

Thanks.

Panos Kampanakis · ‎06-15-2010

Let's say you want to exclude ip address 192.168.1.2 from being scanned. Here is a sample config.

access-list aip-acl extended deny ip host 192.168.1.2 any 
access-list aip-acl extended permit ip any any 
class-map aip-class
 match access-list aip-acl
policy-map global_policy
 class aip-class
  ips inline fail-open
service-policy global_policy global

I hope it is clear now.

PK

edadios · ‎06-15-2010

Since you are seeing deny=false in the portion of ips forwarding, then that will mean it is forward to the IPS still, and you probably still have some configuration that forwards the traffic to the ips for the network you did not want inspected.

Please either try to configure as provided by PK previously, or otherwise provide the service policies (global and interface), class-map, and related access-list you have (CLI commands I mean).

I was doing packet tracer through the CLI.

Thanks,

ericb_summit · ‎06-16-2010

OK cool, check this out:

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcccb4b60, priority=51, domain=ids, deny=true

hits=0, user_data=0xd07618d8, cs_id=0x0, flags=0x0, protocol=0

src ip=216.35.7.96, mask=255.255.255.224, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

So, that means it bypasses the sensor? Because I'm still getting lots of events with source IPs that show deny=true....

Thanks

Panos Kampanakis · ‎06-16-2010

That is right.

I am also suggesting the command "sh service-policy flow tcp host host eq 80" to see if you are hitting the policy for the IPS. You should not.

I hope it helps.

PK

edadios · ‎06-16-2010

Can you please provide the configuration you have for service policy, policy map, class map, and access-list for the traffic redirection t IPS.

The packet tracer tools simulation requires you to specify input interface, and maybe there is a flow that you have not simulated where the source ip may still be directed to ips device.

Regards,