Solved: Re: Firepower IPS

ccna_security · ‎01-30-2019

Kindly ask you to help me.

Well, we deployed IPS on firepower and created network analysis policy to block nmap scanner. When a computer begin scanning another computer firepower blocks it and generate event. It is ok. But yesterday i saw that TFTP traffic cause portscan detection to block the traffic. I mean, one of branch router interface send some traffic to tftp server daily but i don't understand that why ips sees it as malicious traffic. it founds that as if that traffic is generated some network scanning tool. hope you got what i mean

Sheraz.Salim · ‎02-01-2019

lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?

yes is correct, also you need to exclude your ip address from the External_Net

What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?

if the initiator is from inside it will be a stateful inspection in regards to ASA code. if you IPS rules in place they will kick in with pareelt with NAP

please do not forget to rate.

View solution in original post

Rob Ingram · ‎02-03-2019

Hi,
The variable sets are referenced in the Intrusion Policy, it is used to identify the protected networks (HOME_NET) and unprotected networks (EXTERNAL_NET). Using the variable set in the Intrusion Policy means you don't need to modify the individual snort rules to identify your local networks etc.

Also using the variable sets makes the Snort rules more accurate, improves performance and reduces the probability of false positives.

HTH

View solution in original post

Sheraz.Salim · ‎01-30-2019

There is no easy answer for your question. We do not know what tweaking you did in NAP. I read not long ago in cisco documentiion not to change in setting NAP unless you definitely know how the flow of packet behaves in NAP.

in essence what NAP do is to do the inspection of packet in regards to if packet is malformed, doing decoding, normalization, and preprocessing. in NAP the packet is decorded. according to cisco documentation.

The packet decoder converts packet headers and payloads into a format that can be easily used by the preprocessors and later, intrusion rules. Each layer of the TCP/IP stack is decoded in turn, beginning with the data link layer and continuing through the network and transport layers. The packet decoder also detects various anomalous behaviors in packet headers.
In inline deployments, the inline normalization preprocessor reformats (normalizes) traffic to minimize the chances of attackers evading detection. It prepares packets for examination by other preprocessors and intrusion rules, and helps ensure that the packets the system processes are the same as the packets received by the hosts on your network.
Various network and transport layers preprocessors detect attacks that exploit IP fragmentation, perform checksum validation, and perform TCP and UDP session preprocessing.
Various application-layer protocol decoders normalize specific types of packet data into formats that the intrusion rules engine can analyze. Normalizing application-layer protocol encodings allows the system to effectively apply the same content-related intrusion rules to packets whose data is represented differently, and to obtain meaningful results.
The Modbus and DNP3 SCADA preprocessors detect traffic anomalies and provide data to intrusion rules. Supervisory Control and Data Acquisition (SCADA) protocols monitor, control, and acquire data from industrial, infrastructure, and facility processes such as manufacturing, production, water treatment, electric power distribution, airport and shipping systems, and so on.
Several preprocessors allow you to detect specific threats, such as Back Orifice, portscans, SYN floods and other rate-based attacks.
The sensitive data preprocessor detects sensitive data such as credit card numbers and Social Security numbers in ASCII text, in intrusion policies.

in short there is no answer to fix your issue unless you know what you did apply in your NAP settings.

please do not forget to rate.

ccna_security · ‎02-01-2019

Thanks for answer.

One more question i want to ask about variable set. We use firepower as internal firewall. IPS have already configured connectivity over security with its default variable set. Lots of documentation i read and all of them say we must configure variable set. Frankly i didn't understand how to configure it. please correct me if i am wrong

lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?

Sheraz.Salim · ‎02-01-2019

have a look on this link

https://www.youtube.com/watch?v=G2hO2awOZJA

please do not forget to rate.

ccna_security · ‎02-01-2019

I have already watched the video. One question i have again. The video shows that we can edit default set. ok lets say i edit the default set home_net variable and add only 10.0.0.0/8 network. then applied it to ACP. so don't you think it will only inspect that subnet not others (192.168.0.0, 172.16.0.0)?

What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?

Sheraz.Salim · ‎02-01-2019

lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?

yes is correct, also you need to exclude your ip address from the External_Net

What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?

if the initiator is from inside it will be a stateful inspection in regards to ASA code. if you IPS rules in place they will kick in with pareelt with NAP

please do not forget to rate.

ccna_security · ‎02-02-2019

Hello.

yes is correct, also you need to exclude your ip address from the External_Net

Why do i need to exclude private ip address from External_net variable?

Frankly i dont understand why cisco strongly recommend to change variable set. What exactly do variable on ips?

Please explain as simple as possible? thanks in advance

Rob Ingram · ‎02-03-2019

Hi,
The variable sets are referenced in the Intrusion Policy, it is used to identify the protected networks (HOME_NET) and unprotected networks (EXTERNAL_NET). Using the variable set in the Intrusion Policy means you don't need to modify the individual snort rules to identify your local networks etc.

Also using the variable sets makes the Snort rules more accurate, improves performance and reduces the probability of false positives.

HTH

ccna_security · ‎02-03-2019

Hi RJI

I changed default home_net variable by adding my own network(172.16.0.0, 192.168.0.0). And added this ip addresses on External_net exclusion field. Is it enough?

My firewall is internal firewall. I want to inspect traffic beetwen local ip addresses. do you think the configuration i just wrote is enough for my network? Do i need to do something more?