Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
1
Replies

If Host OS set to Windows Server 2008 R2 why trigger linux related Sig?

evan.chadwick1
Level 1
Level 1

‎07-09-2018 02:36 PM - edited ‎02-21-2020 07:57 AM

Hi Folks,

I am focusing on the accuracy of firepower applying appropriate IPS signatures based on Host definition. I've raised a couple of posts already online. However I'm still finding out from the server team what is definitely installed on the servers.
I finally have an obvious example based on Operating System.

If I have a host defined as Windows Server 2008, why would IPS signature 46736 be applied to it (D-link router login.cqi command injection) 1:46736:2 ?

Am I wrong to expect Firepower to see an inbound login attempt on port 80, that exploits a linux based operating system, drop it silently to all windows defined hosts in my network?

 

 

 

Labels:
0 Helpful
1 Reply 1

evan.chadwick1
Level 1
Level 1

‎07-15-2018 03:41 PM

My thinking at this stage is to try to tackle this with a separate IPS policy that just defines my public facing DMZ. I might get a more dynamic FP recommendations experience over time which will begin to set such signatures to just 'drop' and not 'drop and generate events'.

Any thoughts appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card