cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2051
Views
1
Helpful
2
Replies

How to change preprocessor rules for specific server IP addresses in FireSIGHT?

rweir0001
Level 1
Level 1

I have a Cisco ASA w/FirePOWER using SourceFire module version 5.4.1. The IPS is seeing SFTP traffic and misidentifying it as an  SSH_EVENT_RESPOVERFLOW intrusion event because it thinks the packets are trying to exploit a vulnerability in OpenSSH. The inline action is to drop the packets. I want to set it up so that the IPS will not drop these packets when it sees the traffic going to specific servers, but will function normally otherwise. I tried to change the SSH_EVENT_RESPOVERFLOW rule in the Rule Editor but received this message:

This preprocessor rule cannot be modified from the rule editor. If you want to modify this rule, you can change the settings in a Network Analysis policy for this preprocessor.

How can I change the preprocessor rule so that the IPS doesn't drop packets that it misidentifies as SSH_EVENT_RESPOVERFLOW intrusion events for SPECIFIC servers?

2 Replies 2

tushar_bangia
Level 1
Level 1

I also saw similar issue and since NAP is globally applied hence the only way to do this is to whitelist the scanners in NAP.

Refer attached screenshot for same.

Tushar,

Cisco ended up confirming for me that there is a bug related to this and they provide me with this link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva18960

They also recommended updating the VDB version in FireSIGHT. As a workaround I did create a Network Access Policy where I disabled the "Challenge-Response Buffer Overflow" pre-processor rule in the Access Control Policy for certain IP addresses. This resolved the issue. 

Review Cisco Networking for a $25 gift card