I have always thought that if I put a network in the "Protected Network" list that this meant the sensor would only care about these addresses. If this is the case then why does my sensor still report events from/to IP's not in this list. If it does not work this way then how does the concept of a "Proteced Network" work?
The Protected Network is used to tag the addresses in an alarm with a keyword.
Addresses in the Protected Network are tagged with the word IN, while any other address is tagged with the word OUT.
This helps when looking at alarms to determine whether you are being attacked, or if your internal network is being used to attack someone else's network.
The sensor, however, will monitor all traffic, so it is easy to get running without even having to configure your Protected Networks. (Everything would be reported as OUT source and OUT destination).
To get what you are looking for the IN and OUT keywords can also be used to filter out alarms.
If you are not interested in alarms between ips that are not in your Protected Network then you can exclude all alarms between two OUT addresses:
RecordOfExcludedPattern * * OUT OUT
(This can be created in nrConfigure for the Unix Director, or added in the Epilogue field in CSPM)
You could also do the following:
RecordOfExcludedPattern * * IN IN (To not look at alarms between your own machines)
RecordOfExcludedPattern * * IN OUT (To not look at alarms originating within your network)
NOTE: RecordOfExcludedPattern is also used by the Advanced Filter Tab in CSPM, but the Advanced Filter tab does not have the ability to exclude all signatures with a single entry. SO that is why the RecordOfExcludedPattern line with a "*" for the signature field is best entered in the Prologue field.
For more information on RecordOfExcludedPattern refer to:
I implemented your suggestion for excluding events from all outside addresses ie: RecordOfExcludedPattern * * OUT OUT. However I have concern that now the sensor is not reporting anything. What is the format of the address/netmask for the RecordOfInternalAddress in the packetd.conf file? Is the netmask the standard netmask or is there some other interpretation by the IDS software?
I'm trying to use a network of 123.456.0.0 with a mask of 255.255.0.0. nrConfigure puts in is as RecordOfInternalAddress 123.456.0.0/16 which seems correct to me. You can have more than 1 RecordOfInternalAddress right? I have several network defined. So why when I turn on my OUT OUT filter does the sensor stop reporting events even though without it I see many IN OUT and OUT IN events in the log. This is becoming a real problem for my customer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...