10-18-2011 03:50 AM - edited 03-10-2019 05:31 AM
Hi All,
When i genrate top 10 victim report on IPS module on ASA 5520 it shows that attacker addresses are my local LAN ip addresses and the victims are public ip address on the internet. I beleive should be the other way around to be the victim are my LAN side.
I have the same in more than on IPS modules for different customers
Please advise
Solved! Go to Solution.
10-19-2011 08:44 AM
Using the Java GUI,
Go into the "Configuration" tab, select the "Policies" button (lower left corner)
Expand the tree on the tree in the upper left panel: Signature Definitions, sig0, All Signatures
Select the signature you want to edit.
Scroll about halfway down the list of signature settings to "Swap Attacker Victim", check the box and set the value to "yes". hit "OK" to save this signature and move on to the next signature.
- Bob
10-18-2011 11:14 AM
Have you been performing any analysis on these "attacks"? Are they real or false positives?
If they are real and your attackers and victims are indeed incorrect, you can swap them by editing the signature in question.
- Bob
10-18-2011 08:44 PM
thanks Bob for your reply.
I believe that it is incorrect because all attackers are from LAN side and zero from outside for around 4 months.
So could you explain to me how to swap this in the signature as you mentioned ? ""Im using GUI interface""
Thanks,,,
10-19-2011 08:44 AM
Using the Java GUI,
Go into the "Configuration" tab, select the "Policies" button (lower left corner)
Expand the tree on the tree in the upper left panel: Signature Definitions, sig0, All Signatures
Select the signature you want to edit.
Scroll about halfway down the list of signature settings to "Swap Attacker Victim", check the box and set the value to "yes". hit "OK" to save this signature and move on to the next signature.
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide