1 of 1 people found this helpful
Have you checked the attack compilation settings on the device tab?
From the IPS guide:
Configuration of attack compilation
The Attack Compilation page enables you to specify the type of attack definitions to be included in the IPS
Policies for a specific Sensor.
To access the Attack Compilation page:
1 Click the Devices tab.
2 Select the domain from the Domain drop-down list.
3 On the left pane, click the Devices tab.
4 Select the device from the Device drop-down list.
5 Select Troubleshooting | Attack Compilation.
You can select the following types of attack definitions for the Sensor:
• Default McAfee Attacks (from the Signature Set)
• Custom Attacks–McAfee Format — These are the McAfee Custom Attacks that you defined or received
• Custom Attacks–Imported Snort Rules — These are the Snort Custom Attacks that you imported into or created in the Manage
thanks for your reply , but the three types are already selected , but same result .
Is the snort rule 'included' on the custom attack editor?
If it shows as included, what priority have you given it?
Does it show on the Default IPS policy?
What's the NSM version you use?
Are the SNORT rules showing under the Master Attack Repository policy?
Dear David ,
no its not a, and the NSM version is 18.104.22.168 its only appeared on the Custom attack snort rule editor .
Priority sets the severity on SNORT rules. Could you share a couple of your rules please?
kindly find the below , thanks in advance :
alert udp any any -> any 53 (msg:"High NULL requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 0a 00 01|"; offset:12; within:255; threshold: type threshold, track by_src, count 10, seconds 5; sid: 5700001; rev: 1)
alert udp any any -> any 53 (msg:"High CNAME requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 05 00 01|"; offset:12; within:255; threshold: type threshold, track by_src, count 10, seconds 5; sid: 5700003; rev: 1)