This article aims at addressing a problem wherein snort may cause connection failures without dropping any traffic due to some snort rules
Snort cause connection failures for rules with "replace" keyword even if the rule state is set to "Generate Events".
The reason is, currently snort does not look at the rule state before enforcing the "replace" action, as a result if a rule state says "generate events", snort will still modify the packet and cause connection failures.
An enhancement request has been opened to change this behavior
If you want to enable the above rules to only alert and not cause traffic failures, the only workaround available right now is to clone a local rule of the original rule and remove the "replace" keyword and enable this local rule instead of the rule provided by Sourcefire.
Please note: Removing the replace keyword may limit the effectiveness of the rule
Good Afternoon, We are looking at deploying FTD's and the it has been brought up that new policies are to be built as well. The concern is that deploying these new policies in a monitoring state to ensure it does not block valid t...
Our desktop team is upgrading W7 to W10 and after upgrading the old W7 to W10 I have observed on ISE 2.4 some of the attributes still reflects the old W7 machine and hence the machine won't get profiled accurately.Stale attribute example being AD-Fet...
Hello, I recenlty turned on the email logging feature. And I see a lot of ASA Alerts for Deny UDP reverse path from 169.254.x.x to 169.254.x.x to vlan(inside). Keep in mind, my level of experience is novice/noob. There are several of...
Hello All, So i need to buy a Firewall Hardware and the requirements are :1. Firewall Capability2. IDS and IPS (one if possible both)3. No SubscriptionAnd my seller offer me ASA5508-FTD-K9, my questions are :1. What feature does it have?2. Does it in...