IPS-SSM Module for 5585 - Configuration Assistance
We have this set up in standard topolgy (Internet > ISP Router > ASA/IDS > Internet Switch)
We are a University.
SSM has been operational for about 4 weeks now.
Was getting LOTS of "worm" events based on no SYN reposnse (tons of em) with the attacker IP being listed as nearly everyone of our internal IPs and the victim IP as being 0.0.0.0
I originally had illegal zone enabled with the default service subnet listed as 0.0.0.0
I originally had external zone enabled (which I belive was the default)
As every machine we tracked down in the original configuration shoed no signs of malward - I began to think false positivr or configuration problem or both.
Today I disabled both illegal zone and the external zone checkboxes and all of that "worm" activity has went away and I am still seing the occasional hit from an outside source to various boxes on the inside (open SSL or malformed TLS usually)
So the question are :
Can someone explain what the effect of enable disable the illegal and external zones is or possibly send me a sanitized version of the config set up in a similar scenario?
Hope all of this makes sense as I think I just know enough IDS to be dangerous
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...