cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
0
Helpful
1
Replies

Firepower False Positves

croll9898
Frequent Visitor
Frequent Visitor

Hello,

We currently have a mix of Linux and Windows servers that are behind our Firepower/ASA devices.  We're seeing an uptick in the BASH signatures firing (1:31977 and 1:31978 specifically).  The problem is while it is an older rule, we don't want to disable it completely.  We would like to be alerted when it fires on a Linux host, but not Windows hosts.  Currently it's firing on Windows and Linux and it's creating a bit of a headache.

I was hoping to get some suggestions on how to proceed.  I know I can setup supression or create a new snort variable without the windows host, but I'd like to have the fix with minimal overhead/configuration.  

Thanks for your help.

1 Reply 1

Claudiu Cismaru
Cisco Employee
Cisco Employee

Can you check the connection events of the intrusion events to see what application id and web application id are identified for those 2 events?

You can create 2 new rules to include a more specific web application identification, if the windows servers are identified different.

Or, you can add the windows servers IP addresses into an object and apply a different IPS policy with the rules disabled only on those IP addresses (with a separate ACP rule that matches the object).

Review Cisco Networking for a $25 gift card