CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

fkhan6_wb · ‎08-14-2006

We have an in-house vulnerability scanner that regularly

does port scans and we don't want to see events when the source IP is from the vulnerability scanner.

We tried a network access rule but it dose not work.

1) Network Shim is enabled

2) Network shield rule with Port scan detection is enabled.

3) Global correlation for scans is set to 100 within 60 minutes.

Basically we want to keep detecting port scans except scans from a specific IP.

jwalker · ‎08-15-2006

Can you send me a screen shot of the NACL rule you created? Perhaps you didn't set the parameters correctly.

fkhan6_wb · ‎08-16-2006

Thanks Jay for your offer. The thing is NACL does not work in 4.0.x

Here is TAC responce for later versions (4.5.x or 5.x):

"It is possible to do this by changing the field "Commuincating with host

addresses" in the network shield rule. There are 2 ways to do this.

1. Create an exception rule. The exception rule is of type 'Network

Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to

enable it. Include the ip address of the port scanner device in

"Communicating with host addresses".

or

2. Modify the original Network Shield Rule (the one with the deny

action). Next to "Communicating with host addresses", click 'Insert

Network Address Set', and click 'New'. In the new window,name the

network address set. Leave the "Address ranges matching" to and

change "but not:" to the ip address of the port scanner. Then click

'save'. Make sure that the Network Shield rule now contains your

Network address set under "Communicating with host addresses".

We typically recommend using method 1 because it prevents you from

having to modify the default rule set. But pick the method that works

best for your configuration."

I have to find away without upgrading.