Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2318
Views
4
Helpful
4
Replies

Turn off rule for specific IP address

JonPBerbee
Level 1
Level 1

ā€Ž11-20-2015 05:19 PM

Hello everyone.

I am looking for a way to turn off a rule for one specific source IP address. I have a customer whose Symantec Proxy server is triggering the "MALWARE-CNC Win.Trojan.Cidox variant outbound connection" rule on trafffic bound for Symantec. Due to the base IPS policy this traffic is being dropped by the FirePOWER sensor. I don't want to disable the rule I just want to stop it from dropping traffic when the source IP is the Symantec Proxy server IP.

Would Event Thresholding help me accomplish this or should I do something like Rate-Based to disable the rule when the source IP belongs to the Symantec Proxy server?

Thanks in advance for any help you can give me.

Jon.

Labels:
0 Helpful
4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

ā€Ž11-21-2015 05:31 AM

Hi,

The best way would be to create a TRUST rule for the source ip as Symantec Proxy server.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

JonPBerbee
Level 1
Level 1
In response to Aastha Bhardwaj

ā€Ž11-22-2015 06:22 PM

Thank you Aastha, I had considered that option as well but was hoping there was a way to turn the rule off for one specific IP. I'll probably go the trust route since it seems like the best way for this specific traffic. Thanks again!

0 Helpful

ed.sherratt
Level 1
Level 1

ā€Ž12-18-2015 01:48 AM

Hi Jon,

I've done the following for systems that generate false positives for single rules, but I don't trust completely so still want the rest of the rules to apply.

Firstly edit the rule to create a new Local rule that excludes the IP, in this example it'll be something like  "MALWARE-CNC Win.Trojan.Cidox variant outbound connection exclude proxy"

the edit will look like the attached pic,assume the proxy IP is 10.10.10.10 in this example, so you exclude the source using !10.10.10.10. nothing else changes

Save this as a new rule which will create a Local rule if you've not done any before this will have the SID  1:1000001:1

Edit your policy enabling the new local rule and disabling the original SID, add a comment to both rules for future reference

Deploy

All done, the new rule will fire on all IPs except this one, and all other rules will still apply to the proxy.

You do need to be aware that SEU changes will not alter the local rule, so you'll need to periodically check in case the detection is updated.

Regards,
Ed

Preview file
58 KB
0 Helpful

shawn_e_currin
Level 1
Level 1
In response to ed.sherratt

ā€Ž03-18-2016 07:39 AM

We did similar things.

First copy the rule.

Use the ip you want the rule not to trigger on in the source or dest.

Change the action to trust.

Custom rules trigger first and act like a ACL. if you match a custom rule of trust you will never hit the SF rule that is below it.

 

End result meaning the rule is white listed for the specific IP. The normal rule is still active and updated by SF for all other devices. you no longer need to check it unless you see something triggering again. At that time update the rule.

Hope this helps

Shawn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card