09-09-2008 08:46 PM - edited 03-10-2019 04:17 AM
I am modifying one of the policies on the IPS on my 5520 that I just setup.
What I want to do is remove the false negatives coming from the DMZ with signature 3030 (TCP SYN Host Sweep)
I want to filter out the IP range of 192.168.168.0/24 but I can't make it to accept it.
What do I need to put in the line src-addr-filter to do this? thanks.
09-10-2008 04:42 AM
You should be able to go to event action rules.
add a rule.
include the sig ID 3030.
I typically leave the sub sig to the default (0-255).
the source will be your DMZ network (192.168.168.0-192.168.168.255)
The destination will probably be the default (0.0.0.0-255.255.255.255)
The next key change will be the actions to subtract. You will want to subtract produce alert (the default action for 3030). Most of the time I subtract all actions. That way if I change a signature later I won't have a unexpected result. For example say you start blocking attackers that do a TCP SYN sweep (3030). If you only subtract product alerts, then you might start blocking you DMZ hosts and but not produce any alerts.
Lastly, you may want to tune sig 3030. 15 unique SYN packets in 60 seconds is pretty low. I have a sensor set to 30 in 5 seconds.
09-10-2008 02:57 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide