Results 1 to 6 of 6
  1. #1
    pod
    pod is offline
    Master Untangler
    Join Date
    Oct 2008
    Posts
    120

    Default Exceptions by source or destination?

    I have one of our internal machines legitimately monitoring our network using snmp.
    This is being picked up and logged by the signatures producing huge numbers of false positives.

    I tried adding a new rule, with conditions of category = snmp and source address = [my_ip] with action of disable.

    That doesn't appear to do anything.
    By reading other posts, it seems that the rule conditions only apply to the signatures themselves and these do not have addresses.
    If that's the case, it's not very helpful to give the option of using conditions which will never work.

    I could set a rule to disable all snmp related signatures. But I do want to know if anything else is trying to use it.

    The only other option appears to be bypassing traffic from the monitoring box. But that makes it miss everything else.

    How can I tell IPS to ignore the services I am running and scan everything else? (ie exactly what the rule above would do)

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,237

    Default

    Why are you subjecting an internal monitor to Untangle's filtration at all?

    This is what bypass rules are for, stop scanning that traffic entirely!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    pod
    pod is offline
    Master Untangler
    Join Date
    Oct 2008
    Posts
    120

    Default

    Good point.
    I guess it's to make sure the box isn't doing something it's not supposed to?

    We also have a slightly odd mixture of external and internal - some 'external' addresses are ours and internal to the organisation if not the network.

  4. #4
    pod
    pod is offline
    Master Untangler
    Join Date
    Oct 2008
    Posts
    120

    Default

    Ok, so having added a bypass rule:
    source address is 10.0.0.1 [enabled is ticked and bypass is ticked]
    ...and clicked save, I'm still seeing entries in the IPS all events list with a source address of 10.0.0.1.
    I thought these would go away?

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,237

    Default

    If you bypassed it, the sessions don't hit any rack and therefore are not processed. So yeah, double check to make sure your rule is correct and you're not reading things funny. It can take a moment or two before things clear up. And if your rule is that simple "source address 10.0.0.1"

    Which does seem a bit odd to me? Isn't 10.0.0.1 Untangle? Or do you put your Untangle at .254?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    pod
    pod is offline
    Master Untangler
    Join Date
    Oct 2008
    Posts
    120

    Default

    I've had a reply from support:
    "Bypassing traffic bypasses all but the first packet through Intrusion Prevention. The only way to prevent the logging of this traffic is to disable the associated rule."

    So for our situation, I've disabled the SNMP signatures. We don't get the huge number of false positives but the downside is no scanning of unwanted SNMP either.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2