https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183970#M77432 <HTML><HEAD></HEAD><BODY><P>Dear Andy</P><P></P><P>i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.</P><P>As i said before the signature action is "deny connection inline" </P><P></P><P>regrads</P></BODY></HTML> Wed, 25 Mar 2009 16:30:14 GMT mohamed_makled 2009-03-25T16:30:14Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183964#M77426 <P>Hi all</P><P></P><P>actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .</P><P>can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???</P><P></P><P>i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.</P><P></P><P>anyone face this issue ??</P><P>please advice.</P><P></P><P>regards</P><P></P> Sun, 10 Mar 2019 11:34:07 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183964#M77426 mohamed_makled 2019-03-10T11:34:07Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183965#M77427 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed,</P><P></P><P>This requires a bit more information.</P><P></P><P>Are thee users based on the inside network and they are browsing the internet?</P><P></P><P>Can i ask which signatures the IPS is firing?</P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Wed, 25 Mar 2009 14:38:19 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183965#M77427 andrew100 2009-03-25T14:38:19Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183966#M77428 <HTML><HEAD></HEAD><BODY><P>Dear Andy </P><P></P><P>Thanks for your reply.</P><P>the users are in the inside network and they are browsing internet.</P><P>The signatures that is fired by the IPS is:</P><P></P><P>3002 TCP SYN Port sweep </P><P>3010 TCP High Port sweep</P><P></P><P>regards</P><P>Mohamed</P></BODY></HTML> Wed, 25 Mar 2009 15:30:41 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183966#M77428 mohamed_makled 2009-03-25T15:30:41Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183967#M77429 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed,</P><P></P><P>Ok - and so what is the source address of the attacker? Is it the internal hosts? one host or many and where are they trying to scan?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 25 Mar 2009 16:03:02 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183967#M77429 andrew100 2009-03-25T16:03:02Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183968#M77430 <HTML><HEAD></HEAD><BODY><P>Dear Andy</P><P></P><P>The source addresses of the attackers is the internal users (10.3.40.x)and (10.3.50.x) and the victim is a real ip addresses which is unknown </P><P>this signature is fired for some internal users not all.</P><P></P><P>regards</P></BODY></HTML> Wed, 25 Mar 2009 16:20:05 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183968#M77430 mohamed_makled 2009-03-25T16:20:05Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183969#M77431 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed,</P><P></P><P>Have you checked your PC's for Viruses?</P><P></P><P>They should not be scanning random IP Addresses like that?</P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Wed, 25 Mar 2009 16:23:17 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183969#M77431 andrew100 2009-03-25T16:23:17Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183970#M77432 <HTML><HEAD></HEAD><BODY><P>Dear Andy</P><P></P><P>i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.</P><P>As i said before the signature action is "deny connection inline" </P><P></P><P>regrads</P></BODY></HTML> Wed, 25 Mar 2009 16:30:14 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183970#M77432 mohamed_makled 2009-03-25T16:30:14Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183971#M77433 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed,</P><P></P><P>Ideally your customer needs to check his machines. The signature can be disabled purely for these hosts, but i wouldn't recommend that as it defeats the point of having the IPS in place.</P><P></P><P>He ideally needs to check his hosts for viruses <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Wed, 25 Mar 2009 16:35:43 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183971#M77433 andrew100 2009-03-25T16:35:43Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183972#M77434 <HTML><HEAD></HEAD><BODY><P>Andy</P><P></P><P>surely , the customer will do that.</P><P>My question is that if the signature action is "deny connection inline" , is that will deny the attacker totally or not???</P><P></P><P>regards</P></BODY></HTML> Wed, 25 Mar 2009 16:48:02 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183972#M77434 mohamed_makled 2009-03-25T16:48:02Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183973#M77435 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed,</P><P></P><P>No, it will deny only the single connection from the host. But the host will then create a new connection and that will then be blocked (if it fires a signature rule). if the connection to the internet is legitimate this will not be blocked as it is a new connection. </P><P></P><P>To block the host completley this will be 'deny attacker inline'.</P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Wed, 25 Mar 2009 16:51:46 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183973#M77435 andrew100 2009-03-25T16:51:46Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183974#M77436 <HTML><HEAD></HEAD><BODY><P>Andy</P><P></P><P>I agree with you regarding that.</P><P>But although the signature action is "deny connection inline" , the internal user (attacker address) is totally denied.</P><P>Do you have any recommendations to know the reason for that??</P><P></P><P>regards</P></BODY></HTML> Wed, 25 Mar 2009 17:08:56 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183974#M77436 mohamed_makled 2009-03-25T17:08:56Z https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183975#M77437 <HTML><HEAD></HEAD><BODY><P>Hi Mohammed.</P><P></P><P>Right now I'm preparing the IPS Exam, and I have read some where that:</P><P></P><P>"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.</P><P></P><P>You can tune the Signature to solve this issue, but this will not solve the main problem.</P><P></P><P>But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.</P><P></P><P>Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257" target="_blank">http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257</A></P><P></P><P>I hope this helpful.</P><P></P><P>Best regards</P><P>Reda</P><P><A href="mailto:j.reda7@gmail.com">j.reda7@gmail.com</A></P><P></P><P></P><P></P><P></P></BODY></HTML> Thu, 26 Mar 2009 08:48:35 GMT https://community.cisco.com/t5/network-security/customizing-signatures-question-on-aip-ssm/m-p/1183975#M77437 rjaaouan 2009-03-26T08:48:35Z