There are a number of signatures in the 13xx series which have actions of deny or modify packet inline without a produce alert action. It is possible these are firing (silently).
Have you tried looking at 'sh stat denied-attackers' to see if those IPs are being blocked? Also, you can look at 'sh stat virtual-sensor' in the "SigEvent Preliminary Stage Statistics" & "SigEvent Action Override Stage Statistics" areas. Those will tell you which sigs are firing and which actions are being taken. Watch for "deny-packet-inline" & "deny-attacker-inline" to increment.
I have enabled alert sending for every signature that did something to the traffic. but nothing was triggered that denied any attackers.
I will use the commands you gave to further troubleshoot.
Do you know what could cause a 3737/0 signature with a calculated risk of 95% to droppedPacket, deniedFlow, tcpOneWayResetSent when in the signature actions is just alert and the VS0 should just drop packets when the risk is above 90 % ?
You are being hit with the default option of the the Event Action Override feature. It adds a 'Deny Packet Inline' action to any signature with a risk of 90-100. Type 'setup' on the sensor, do you see a section like this?
the event action override feature is on. But it should just dey packet inline not do a tcpOneWayResetSent or does deny packet inline will trigger all of these actions droppedPacket, deniedFlow, tcpOneWayResetSent.
I added an exception for this rule for any attacker that tries this attack on the ISA IP but it didn't help.
Is 'setup' the right command to view this? I mostly use the IDM and it shows the event action overide for risk rating above 90% to drop.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...