topic Re: Firepower IPS in Network Security

Firepower IPS

ccna_security — Tue, 26 Feb 2019 08:07:58 GMT

Hi. I recently set IPS on firepower but portscan detection catche traffic from Domain controller to host device that is used to watch cameras. I dont understand what kind of traffic is it to trigger protscan detection. What could be send from domain controller to hosts that trigger portscan rule.? Moreover i observed that the traffic destined to port 135. but again i didnt understand which traffic uses 135 that cause this issue. please help me as sson as possible. thanks in advance

Re: Firepower IPS

Abheesh Kumar — Tue, 26 Feb 2019 09:57:32 GMT

Hi, You need to specify correct variable set to detect the network in you environment. You need to specify Home_Net & External_Net.

Re: Firepower IPS

ccna_security — Tue, 26 Feb 2019 10:02:14 GMT

hi. i have already specified my private network on variable set. Firepower is internal and i added only private ranges that i use into variable set. i use 172.16.0.0 192.168.0.0 private range. But server on 172.16.0.1(for example) request 192.168.10.1 host. Portscan then detect as if there is anomaly occurs.

Re: Firepower IPS

Sheraz.Salim — Wed, 27 Feb 2019 11:53:13 GMT

it could be a false positive. you can change the rules going into a snort rule and change according to your requirements.