02-26-2013 08:57 AM - edited 03-10-2019 05:54 AM
We tested Nessus against our legal IP range, and although the firewalls see the connections and happily deny then, the IPS 4255's (two, in series, running 7.1.6 and 7.0.7 E4 respectively) aren't logging anything on the source IP, not even in the info / low logs.
Is this a consequence of Nessus being very clever, or is there an issue with the scanning thresholds? These are currently set to 100
Gareth
02-26-2013 08:45 PM
Does the traffic go through the ASAs first?
Or it goes through the sensors first?
Is there a signature that should be triggering when detecting the traffic?
Is this about the sensor not logging the source host's information or the scan itself?
02-26-2013 11:59 PM
The IPS is outside the firewalls, so traffic hits that first. The scanner should detect TCP and UDP scans, but doesn't seem to see the source IP at all.
On the other hand, it does see some other IPs scanning at the same time, so possibly Nessus "spoofs" its source address... does anyone know?
02-27-2013 09:15 AM
Try to capture the traffic and confirm it is reaching the unit.
Also make sure there are no event action filters that might be affecting this.
02-28-2013 05:41 AM
It has to go through the IPS, there's no other physical path it can take.
The default action filters are all on and I've re-enabled the retired TCP/UDP scan filters.
02-28-2013 08:30 PM
Hello Gareth,
Can you let me know if this signatures are enabled:
3001/1
4003/0
3001/0
In fact have some fun with the entire link and check those signatures ( I have done the search and copy the link for you) , those should be able to detect that traffic ASAP
Remember to rate any of the helpful posts
Regards
Julio Carvajal
03-01-2013 02:01 AM
3001/1 doesn't exist, but the other 2 are both enabled.
03-01-2013 11:13 AM
For clarification purposes:
We are seeing events related to the scan, the issue is with the reported "attacker" addresses. Is that right?
Can you share one of the logs you mentioned on the reply for my first post in here?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide