Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

We have an in-house vulnerability scanner that regularly

does port scans and we don't want to see events when the source IP is from the vulnerability scanner.

We tried a network access rule but it dose not work.

1) Network Shim is enabled

2) Network shield rule with Port scan detection is enabled.

3) Global correlation for scans is set to 100 within 60 minutes.

Basically we want to keep detecting port scans except scans from a specific IP.

5 REPLIES
Blue

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

Doesn't work in 4.0.X although I've wanted it for years. 4.5x and 5.x are supposed to have a way to add trusted addresses to the exclusion list for the network shield rule but I haven't tried it yet (or have I ???).

Tom S

New Member

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

Thanks Tom

You are right. It does not work in 4.0.x

Here is TAC responce for later versions:

"It is possible to do this by changing the field "Commuincating with host

addresses" in the network shield rule. There are 2 ways to do this.

1. Create an exception rule. The exception rule is of type 'Network

Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to

enable it. Include the ip address of the port scanner device in

"Communicating with host addresses".

or

2. Modify the original Network Shield Rule (the one with the deny

action). Next to "Communicating with host addresses", click 'Insert

Network Address Set', and click 'New'. In the new window,name the

network address set. Leave the "Address ranges matching" to and

change "but not:" to the ip address of the port scanner. Then click

'save'. Make sure that the Network Shield rule now contains your

Network address set under "Communicating with host addresses".

We typically recommend using method 1 because it prevents you from

having to modify the default rule set. But pick the method that works

best for your configuration."

I have to find away without upgrading.

Blue

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

You might raise the threshold for portscans in the rule if you wanted to.

You could also try and get them to spread the scans out so they don't cross the threshold if it's really bothersome.

Tom S

New Member

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

I think you are referring to Pingscan in the Global Event Correlation not the port scan.

Blue

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

You are right, my bad...

That's where I set the threshold to get rid of pingscan messages.

I guess I've learned to tune the portscans out or filter my event view.

Tom S

110
Views
0
Helpful
5
Replies
CreatePlease login to create content