Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
We have an IPS 4235 system with IPS-K9-5.1-8-E3 Engine and sig file IPS-sig-s368-reg-E3 in fron of our Firewall. We also (unfortunately) have the w32.conficker worm which is causing a DDOS and flooding the network with TCP 445 traffic. We are trying ...
We've tried all the deny options, how'ever we think the problem is that the W32Conficker worm / virus signature does not seem to be included in S368, as a result the IDS just picks up the TCP timeout and not the worm.
this didn't give us any denied attackers (see below);NWWIDS1# sh stat denied-attackersDenied Attackers and hit count for each.Statistics for Virtual Sensor vs0 Denied Attackers with percent denied and hit count for each.NWWIDS1#
Yes we have "Deny Attacker In Line", "Deny Attacker Service Pair InLine", "Deny Attacker Victim Pair Inline", "Deny Connection InLine", Deny Packet InLine", but we are still seeing 445 worm tarffic on the outside interface......
Thanks Jon,The IPS is configured in line - and yes it does detect on Sig. 1302. We are not sure how we could customise a signature as we do not understand the attack attribute (apart from port 445 to random IP addresses). WE have tried setting the si...