Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1866
Views
0
Helpful
1
Replies

Websense proxy traffic blocked by IPS

gijoesamuel
Level 1
Level 1

‎03-03-2011 10:53 PM - edited ‎03-10-2019 05:17 AM

Hi,

We are using Websense as Proxy. The Signature 6009/0 & 5930/8 triggers (SYN FLOOD DOS & GENERIC SQL INJECTION) triggers and blocks Internet traffic comming through proxy. Times the Signature changes and its very difficult to know root cause.

In the IPS event logs it shows Attacker IP of (Websense Proxy Server - 172.21.104.2) and Victim IP as (74.125.235.108 & 82.208.28.193). The victim IP shown in the IPS belongs to (Google & astrala.logout.cz).

Please Suggest.

Regards,

Gijoe

Labels:
0 Helpful
1 Reply 1

Siddharth Chandrachud
Cisco Employee
Cisco Employee

‎03-05-2011 11:42 AM

If the traffic is trusted, create an event action filter to tune IPS for false positives.

This way IPS will not carry out the default action on the signature for packets coming from a specific subnet or going to one.

Check the video for how to create an event action filter:

https://supportforums.cisco.com/community/netpro/security/intrusion-prevention/blog/2010/10/05/cisco-ips--how-to-prevent-false-positives-using-event-action-filters

Sid Chandrachud

Cisco TAC - Security Team

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card