05-20-2008 12:50 AM - edited 03-10-2019 04:07 AM
We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.
In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.
I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.
Am I correct about this?
Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.
Solved! Go to Solution.
05-21-2008 09:35 AM
create 2 event actions filters.
The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".
The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.
The net result is that the first event action filter will apply when it matches and the second when it doesn't.
05-21-2008 09:35 AM
create 2 event actions filters.
The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".
The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.
The net result is that the first event action filter will apply when it matches and the second when it doesn't.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide