Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
1
Replies

Set of signatures to Block or Deny in IPS

oatinetworksupport
Level 1
Level 1

‎03-06-2006 09:14 AM - edited ‎03-10-2019 01:55 AM

I'm wondering if anyone has a good set of signatures to setup to automatically block/deny. Right now, we have a couple of IPS units, and we have all signatures set to not block.

What I need is a set of signatures that is safe for a service provider to use. We host many websites and FTP sites and want to be sure we don't automatically block any signatures that have a victim port of 80 or 443.

I'm also looking for a way to list all signatures with a severity of 'high', and a victim port not equal to 80 or 443.

Any help would be appreciated.

Thanks,

- Erik

Labels:
0 Helpful
1 Reply 1

normalit
Level 1
Level 1

‎03-09-2006 07:04 AM

One thing you could do is set up Event Action Overrides. This is what I have done:

1) I defined my DMZ space, Internal space and Internet space. I gave all of those variable names.

2) Go into your Target Value Ratings and define your DMZ and Internal space as HIGH. This automatically bumps up the Risk Rating (RR) on signatures as they fire on these items.

2a) I defined my firewall as Medium rating, just due to the fact that any traffic to it will be blocked easily enough.

3) Go in to your Event Action Overrides and set certain actions dependent on Risk Rating. I have DENY ATTACKER INLINE set to RR 100 and DENY CONNECTION INLINE set to RR 90-99. As well as a few others, logging attacker/victim pairs, reseting TCP connections and producing verbose alerts.

4) This step is important. In order to ensure that your IDS will not do a "service block", in that it will not block your webservers if it detects them as being 'attackers', go into Event Action Filter. For all signature ranges, with attacker address of the DMZ and Internal address space you gave earlier, click "Deny attacker inline". This will REMOVE those actions from firing on your selection criteria, and ensure you're not going to accidentally shut off services. You will also want to do this for the Firewall IP address if you are doing Hide NATting behind it, otherwise you will kill your internal clients internet connectivity.

That's pretty much the best way I could come up with to do some automatical intrusion prevention, while not shooting myself in the foot. It's all about those Event Action Rules and risk ratings. Tweaking the individual signatures themselves is extremely daunting, plus they would just get changed back with each new release.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card