Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
2
Replies

CSA DAC Rule, Untrusted Hosts, and Global Correlation

RichardSW
Level 1
Level 1

‎10-02-2006 12:28 PM - edited ‎03-09-2019 04:23 PM

I was trying to get tricky and force my Data Access Control rules to show me what the source IP was.

In my DAC rule, instead of setting the action to Monitor, I have it set to Add Process to Application Class, using dynamic application class <*Processes Communicating with Untrusted Hosts>. Then for Global Event Correlation, I have "Correlate Communications with untrusted hosts and add peer addresses to list of dynamically quarantined IP addresses" enabled with Log a message if 1 systems report this event within 60 minutes.

Well, it works. Sort of. The first time one of my DAC rules triggers, I get the event for the DAC rule, then another event when Global Event Correlation logs the IP address. But this comes with a nasty side effect. Right after, any IP address that communicates with the IIS process also gets added to the Global Quarantine IP addresses list and those events are logged, but not with any other DAC rule event. It looks as if the IIS process is being quarantined as well, even though I can't see that tracked anywhere. The details of the Global event don't give any reference information at all.

So what is going on? Is this how its supposed to work? Or did i find a bug?

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎10-06-2006 10:56 AM

what is the version of CSA you are using?

0 Helpful

RichardSW
Level 1
Level 1
In response to smahbub

‎10-16-2006 06:44 AM

4.5.1. At the time of my post it was release 654, but now I'm up to 657.

0 Helpful
Customers Also Viewed These Support Documents