topic Fushar, in Network Security

How to change preprocessor rules for specific server IP addresses in FireSIGHT?

rweir0001 — Sun, 10 Mar 2019 13:41:02 GMT

I have a Cisco ASA w/FirePOWER using SourceFire module version 5.4.1. The IPS is seeing SFTP traffic and misidentifying it as an SSH_EVENT_RESPOVERFLOW intrusion event because it thinks the packets are trying to exploit a vulnerability in OpenSSH. The inline action is to drop the packets. I want to set it up so that the IPS will not drop these packets when it sees the traffic going to specific servers, but will function normally otherwise. I tried to change the SSH_EVENT_RESPOVERFLOW rule in the Rule Editor but received this message:

This preprocessor rule cannot be modified from the rule editor. If you want to modify this rule, you can change the settings in a Network Analysis policy for this preprocessor.

How can I change the preprocessor rule so that the IPS doesn't drop packets that it misidentifies as SSH_EVENT_RESPOVERFLOW intrusion events for SPECIFIC servers?

I also saw similar issue and

tushar_bangia — Thu, 06 Oct 2016 07:04:45 GMT

I also saw similar issue and since NAP is globally applied hence the only way to do this is to whitelist the scanners in NAP.

Refer attached screenshot for same.

Fushar,

rweir0001 — Thu, 06 Oct 2016 13:23:44 GMT

Tushar,

Cisco ended up confirming for me that there is a bug related to this and they provide me with this link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva18960

They also recommended updating the VDB version in FireSIGHT. As a workaround I did create a Network Access Policy where I disabled the "Challenge-Response Buffer Overflow" pre-processor rule in the Access Control Policy for certain IP addresses. This resolved the issue.