cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
1
Replies

negating deny-attacker inline best practice

darin.marais
Level 4
Level 4

We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.

In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.

I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.

Am I correct about this?

Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.

1 Accepted Solution

Accepted Solutions

mhellman
Level 7
Level 7

create 2 event actions filters.

The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".

The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.

The net result is that the first event action filter will apply when it matches and the second when it doesn't.

View solution in original post

1 Reply 1

mhellman
Level 7
Level 7

create 2 event actions filters.

The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".

The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.

The net result is that the first event action filter will apply when it matches and the second when it doesn't.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: