06-29-2020 05:10 AM
Hello everybody,
I have the case where a backup was interrupted by a Firepower-Module
in a ASA by IPS. It recogniced a "eicar test string download attempt"
Event Information Event POLICY-OTHER eicar test string download attempt (1:37732:4) Timestamp 2020-06-26 16:43:25 Classification Misc Activity Priority low Ingress Security Zone inside Egress Security Zone transfer-outside Device FTD-SCH-01 Ingress Interface inside Egress Interface outside Source IP 10.50.24.25 Source Port / ICMP Type 56650 / tcp Destination IP 10.50.168.28 Destination Port / ICMP Code 2500 / tcp Intrusion Policy Paudler_default_IPS_Policy Access Control Policy ACP_FTD-SCH Access Control Rule in-inside_#14 Rule alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download attempt"; flow:established; file_data; content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:4; gid:1; ) Actions Packet Information FRAME 1 (Expand All) Frame 1: 1374 bytes on wire (1374 bytes captured (10992 bits) Ethernet II (Src: BC:EA:FA:C5:9C:08, Dst: A4:6C:2A:9F:C4:C2) Internet Protocol Version 4 (Src: 10.50.24.25, Dst: 10.50.168.28) Transmission Control Protocol (Src Port: 56650 (56650), Dst Port: 2500 (2500), Seq: 1, Ack: 1, Len: 1320) Data (1320 bytes) Packet Text Packet Bytes
in the data stream and blocks it. See attached screen sequence.
The same happens for other IP addresses in other sites. For me it
looks like a 'false positive' event.
My question is: How can I exclude a group of IP addresses from this
IPS cause blocks only? I don't want to set thiese IP addresses simply
on the whitelist.
Thanks a lot for every hint!
Bye
R.
Solved! Go to Solution.
06-29-2020 06:56 AM
I've never seen that rule fire as a false positive.
If you want to allow the addresses but not use the whitelist option then you can make an access control policy rule higher up in the order to allow them similar to how they are already allowed by rule 14. In that rule you can either a. specify no IPS policy or b. create a custom IPS policy that excludes that one eicar-related IPS rule and specify it.
06-29-2020 06:56 AM
I've never seen that rule fire as a false positive.
If you want to allow the addresses but not use the whitelist option then you can make an access control policy rule higher up in the order to allow them similar to how they are already allowed by rule 14. In that rule you can either a. specify no IPS policy or b. create a custom IPS policy that excludes that one eicar-related IPS rule and specify it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide