topic Firepower False Positves in Network Security https://community.cisco.com/t5/network-security/firepower-false-positves/m-p/2987689#M43240 <P>Hello,</P> <P></P> <P>We currently have a mix of Linux and Windows servers that are behind our Firepower/ASA devices. &nbsp;We're seeing an uptick in the BASH signatures firing (1:31977 and 1:31978 specifically). &nbsp;The problem is while it is an older rule, we don't want to disable it completely. &nbsp;We would like to be alerted when it fires on a Linux host, but not Windows hosts. &nbsp;Currently it's firing on Windows and Linux and it's creating a bit of a headache.</P> <P></P> <P>I was hoping to get some suggestions on how to proceed. &nbsp;I know I can setup supression or create a new snort variable without the windows host, but I'd like to have the fix with minimal overhead/configuration. &nbsp;</P> <P></P> <P>Thanks for your help.</P> Sun, 10 Mar 2019 13:45:06 GMT croll9898 2019-03-10T13:45:06Z Firepower False Positves https://community.cisco.com/t5/network-security/firepower-false-positves/m-p/2987689#M43240 <P>Hello,</P> <P></P> <P>We currently have a mix of Linux and Windows servers that are behind our Firepower/ASA devices. &nbsp;We're seeing an uptick in the BASH signatures firing (1:31977 and 1:31978 specifically). &nbsp;The problem is while it is an older rule, we don't want to disable it completely. &nbsp;We would like to be alerted when it fires on a Linux host, but not Windows hosts. &nbsp;Currently it's firing on Windows and Linux and it's creating a bit of a headache.</P> <P></P> <P>I was hoping to get some suggestions on how to proceed. &nbsp;I know I can setup supression or create a new snort variable without the windows host, but I'd like to have the fix with minimal overhead/configuration. &nbsp;</P> <P></P> <P>Thanks for your help.</P> Sun, 10 Mar 2019 13:45:06 GMT https://community.cisco.com/t5/network-security/firepower-false-positves/m-p/2987689#M43240 croll9898 2019-03-10T13:45:06Z Can you check the connection https://community.cisco.com/t5/network-security/firepower-false-positves/m-p/2987690#M43241 <P>Can you check the connection events of the intrusion events to see what application id and web application id are identified for those 2 events?</P> <P></P> <P>You can create 2 new rules to include a more specific web application identification, if the windows servers are identified different.</P> <P></P> <P>Or, you can add the windows servers IP addresses into an object and apply a different IPS policy with the rules disabled only on those IP addresses (with a separate ACP rule that matches the object).</P> Wed, 25 Jan 2017 09:31:14 GMT https://community.cisco.com/t5/network-security/firepower-false-positves/m-p/2987690#M43241 Claudiu Cismaru 2017-01-25T09:31:14Z