topic Hi, in Network Security

Turn off rule for specific IP address

JonPBerbee — Sat, 21 Nov 2015 01:19:02 GMT

Hello everyone.

I am looking for a way to turn off a rule for one specific source IP address. I have a customer whose Symantec Proxy server is triggering the "MALWARE-CNC Win.Trojan.Cidox variant outbound connection" rule on trafffic bound for Symantec. Due to the base IPS policy this traffic is being dropped by the FirePOWER sensor. I don't want to disable the rule I just want to stop it from dropping traffic when the source IP is the Symantec Proxy server IP.

Would Event Thresholding help me accomplish this or should I do something like Rate-Based to disable the rule when the source IP belongs to the Symantec Proxy server?

Thanks in advance for any help you can give me.

Jon.

Hi,

Aastha Bhardwaj — Sat, 21 Nov 2015 13:31:19 GMT

Hi,

The best way would be to create a TRUST rule for the source ip as Symantec Proxy server.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Thank you Aastha, I had

JonPBerbee — Mon, 23 Nov 2015 02:22:33 GMT

Thank you Aastha, I had considered that option as well but was hoping there was a way to turn the rule off for one specific IP. I'll probably go the trust route since it seems like the best way for this specific traffic. Thanks again!

Hi Jon,

ed.sherratt — Fri, 18 Dec 2015 09:48:52 GMT

Hi Jon,

I've done the following for systems that generate false positives for single rules, but I don't trust completely so still want the rest of the rules to apply.

Firstly edit the rule to create a new Local rule that excludes the IP, in this example it'll be something like "MALWARE-CNC Win.Trojan.Cidox variant outbound connection exclude proxy"

the edit will look like the attached pic,assume the proxy IP is 10.10.10.10 in this example, so you exclude the source using !10.10.10.10. nothing else changes

Save this as a new rule which will create a Local rule if you've not done any before this will have the SID 1:1000001:1

Edit your policy enabling the new local rule and disabling the original SID, add a comment to both rules for future reference

Deploy

All done, the new rule will fire on all IPs except this one, and all other rules will still apply to the proxy.

You do need to be aware that SEU changes will not alter the local rule, so you'll need to periodically check in case the detection is updated.

Regards,
Ed

We did similar things.

shawn_e_currin — Fri, 18 Mar 2016 14:39:20 GMT

We did similar things.

First copy the rule.

Use the ip you want the rule not to trigger on in the source or dest.

Change the action to trust.

Custom rules trigger first and act like a ACL. if you match a custom rule of trust you will never hit the SF rule that is below it.

End result meaning the rule is white listed for the specific IP. The normal rule is still active and updated by SF for all other devices. you no longer need to check it unless you see something triggering again. At that time update the rule.

Hope this helps

Shawn