Fushar,

rweir0001 · ‎09-15-2016

I have a Cisco ASA w/FirePOWER using SourceFire module version 5.4.1. The IPS is seeing SFTP traffic and misidentifying it as an SSH_EVENT_RESPOVERFLOW intrusion event because it thinks the packets are trying to exploit a vulnerability in OpenSSH. The inline action is to drop the packets. I want to set it up so that the IPS will not drop these packets when it sees the traffic going to specific servers, but will function normally otherwise. I tried to change the SSH_EVENT_RESPOVERFLOW rule in the Rule Editor but received this message:

This preprocessor rule cannot be modified from the rule editor. If you want to modify this rule, you can change the settings in a Network Analysis policy for this preprocessor.

How can I change the preprocessor rule so that the IPS doesn't drop packets that it misidentifies as SSH_EVENT_RESPOVERFLOW intrusion events for SPECIFIC servers?

tushar_bangia · ‎10-06-2016

I also saw similar issue and since NAP is globally applied hence the only way to do this is to whitelist the scanners in NAP.

Refer attached screenshot for same.

rweir0001 · ‎10-06-2016

Tushar,

Cisco ended up confirming for me that there is a bug related to this and they provide me with this link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva18960

They also recommended updating the VDB version in FireSIGHT. As a workaround I did create a Network Access Policy where I disabled the "Challenge-Response Buffer Overflow" pre-processor rule in the Access Control Policy for certain IP addresses. This resolved the issue.

How to change preprocessor rules for specific server IP addresses in FireSIGHT?