There are many things to think about. I may not cover everything in this message but I will try to cover some basic.
Is the victim host (192.168.100.1) a windows machine? If it is, is your IIS server patched so that it will not allow cmd.exe to work? Depending on the answer, you may not have to do anything. You may want to keep the alert to see what this Attacker will try to do next though.
If you want to stop/block the attack.
In your attack detail, you will find attacker ip (184.108.40.206) and victim ip address (192.168.100.1). I guess IPS is located behind a NAT/PAT device.
If you are using inline mode, then you can do various deny inline actions.
If you are using promiscuous mode, you can configure signature to request block. You need to setup router/cat6k/pix to put acl/shun. You can always put the shun/acl manually as well.
Thanks for your info. I will contact the customer and dscuss those things.
Also i want to know the following on IPS in-line
1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)
ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.
I want to know how to choose the sigs those are only required for the internal networks also.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...