4 Replies Latest reply on Jul 6, 2017 6:01 AM by d_aloy

    Recon and DDOS rules in IPS policy (NSP)

    pocket87

      I created a new attack profile and included all rules categorized as malware. I linked this profile to one of our active IPS policies, but when I look at the attack definitions within the policy, I'm seeing a large number of recon and DDOS categorized rules in there. In my attack profile, recon, exploit, and policy violation rules are not included. Where are these rules being added from since they're not classified as malware?

        • 1. Re: Recon and DDOS rules in IPS policy (NSP)
          d_aloy

          Hi pocket87

           

          There is a bug with attack profile categorisation that is currently being fixed.

          The 8.3 fix requires a manager HF (already available) and also the sigset to be updated with the correct categorisation for the signatures (currently work in progress).

           

          Best option is to contact support and get the latest NSM HF so that when the sigset is corrected your attack set profiles show the correct signatures included.

           

          Regards

          David

          1 of 1 people found this helpful
          • 2. Re: Recon and DDOS rules in IPS policy (NSP)
            pocket87

            Thank you for the quick response! We'll talk to support and attempt to apply the HF. From digging deeper, looks like it took all the rules from our default reconnaissance policy and just threw them into my custom malware one.

            • 3. Re: Recon and DDOS rules in IPS policy (NSP)
              peter.mason

              Hi David,

               

              Is this bug listed in the Known Issues? Do you have any details of exactly what the bug is?

               

              Thanks

               

              Peter

              • 4. Re: Recon and DDOS rules in IPS policy (NSP)
                d_aloy

                Hi Peter

                 

                BZ is 1159374.

                 

                The problem is that when creating custom attack set profiles, non-relevant attacks are added to the new attack set profile.

                 

                For example, you create a new rule set for linux OS, but it will show Windows signatures :/

                 

                This requires a manager upgrade to minimum NSM HF 8.3.7.53.7. At the same time, the IDT team is correcting the attack classification on the sigset. I know some of the signatures have already been corrected, but I still see issues with some (i.e. MS).

                 

                If you are on the above NSM HF build, then any new rule set you create will be corrected as the classification is corrected on the sigset.

                 

                Regards

                David