cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

548
Views
50
Helpful
4
Replies
hash2k2
Beginner

FMC - Intrusion event passes instead of drop

Hi,

this morning I found in my FMC that some intrusion events are shown as "pass" instead of being dropped.

I find this in my FMC under Analysis -> Intrusion Events -> Table view.

example:

2022-02-26 06:45:38low
 

 

Pass 
 

 

xx.xx.xx.xx
 

 

USA
 

xx.xx.xx.xx

 

 

USA
3200 / tcp80 (http) / tcp  HI_CLIENT_IIS_UNICODE (119:7:1)Unknown TrafficHTTP Inspection Preprocessor 

This happened for different events and different target machines.

 

I am running FMC with 7.1.0

VDB is 351

 

Is that a normal behavior? I have not seen this in the event table before, but I am not that into the fmc at the moment...

4 REPLIES 4
hurricane05
Beginner

Was there a custom IPS rule created from one of the Cisco default ruleset and configured it as a Pass for valid traffic? I normally do this for different signatures where I want Snort to pass traffic for some of our internal host communications. Just a thought.

Marvin Rhoads
VIP Community Legend

Check the rule allowing the traffic in the first place. Does it have the Intrusion Policy specified in it?

For every services reachable from external sources I have created an own intrusion policy. Then I have created access policies for every server saying any -> dmz server and added that specific IPS policy. So there is no entry without an IPS policy with allow.

Create
Recognize Your Peers
Content for Community-Ad