Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2881
Views
0
Helpful
1
Replies

Firepower: How to exclude IP adresses from IPS caused blocking?

Go to solution
rherud
Level 1
Level 1

‎06-29-2020 05:10 AM

Hello everybody,

I have the case where a backup was interrupted by a Firepower-Module
in a ASA by IPS. It recogniced a "eicar test string download attempt"

Event Information
Event POLICY-OTHER eicar test string download attempt (1:37732:4)
Timestamp 2020-06-26 16:43:25
Classification Misc Activity
Priority low
Ingress Security Zone inside
Egress Security Zone transfer-outside
Device FTD-SCH-01
Ingress Interface inside
Egress Interface outside
Source IP 10.50.24.25
Source Port / ICMP Type 56650 / tcp
Destination IP 10.50.168.28
Destination Port / ICMP Code 2500 / tcp
Intrusion Policy Paudler_default_IPS_Policy
Access Control Policy ACP_FTD-SCH
Access Control Rule in-inside_#14
Rule alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download attempt"; flow:established; file_data; content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:4; gid:1; )
Actions
Packet Information
FRAME 1 (Expand All)
Frame 1: 1374 bytes on wire (1374 bytes captured (10992 bits)
Ethernet II (Src: BC:EA:FA:C5:9C:08, Dst: A4:6C:2A:9F:C4:C2)
Internet Protocol Version 4 (Src: 10.50.24.25, Dst: 10.50.168.28)
Transmission Control Protocol (Src Port: 56650 (56650), Dst Port: 2500 (2500), Seq: 1, Ack: 1, Len: 1320)
Data (1320 bytes)
Packet Text
Packet Bytes

in the data stream and blocks it. See attached screen sequence.

The same happens for other IP addresses in other sites. For me it
looks like a 'false positive' event.

My question is: How can I exclude a group of IP addresses from this
IPS cause blocks only? I don't want to set thiese IP addresses simply
on the whitelist.

Thanks a lot for every hint!




Bye
R.

Preview file
471 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-29-2020 06:56 AM

I've never seen that rule fire as a false positive.

If you want to allow the addresses but not use the whitelist option then you can make an access control policy rule higher up in the order to allow them similar to how they are already allowed by rule 14. In that rule you can either a. specify no IPS policy or b. create a custom IPS policy that excludes that one eicar-related IPS rule and specify it.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-29-2020 06:56 AM

I've never seen that rule fire as a false positive.

If you want to allow the addresses but not use the whitelist option then you can make an access control policy rule higher up in the order to allow them similar to how they are already allowed by rule 14. In that rule you can either a. specify no IPS policy or b. create a custom IPS policy that excludes that one eicar-related IPS rule and specify it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card