2 Replies Latest reply on Jan 28, 2012 4:32 AM by dmease729

    NSP - AutoAck based on attack filter assignment




      I use a large number of vendors IPS appliances, and I may be having a brain freeze here, but cannot think of a way to carry out what I require...


      Essentially we have a large number of alerts coming through every half hour - using the below as an example: -> port 25     Exchange Exploit XYZ     blocked


      As we are investigating, we still want the alerts to be recorded, but we do not want it to appear in real-time analyzer.  If we assign an attack filter to the above, then the traffic will no longer be blocked (this is bad).  If we configure the auto-ack option in the attack settings, then we will lose visibility of this attack happening elsewhere (this is also bad).  What we really need is some way to auto-ack, but only for specific source and destination pairs.  I feel I am missing something quite obivous here, so feel free to get an easy answer in :-) but I cannot for the life of me think of how to achieve this at present...


      Yours head-scratchingly,

        • 1. Re: NSP - AutoAck based on attack filter assignment

          Yeah, that's a good one.  No real way of doing that.   You'd really need auto ack with more granular options, but presently the application doesn't support that.

          If you want  you could setup alert throttling to help minimize the flood of alerts.  In IPS settings > Sensor Name > Advanced Scanning > Logging and Alerting enable Alert Supression... this would be across the board on all alerts though


          So, for example default is 120 seconds.  If you see 200 alerts in 120 seconds, list only 1 alert in the Threat Analyzer instead of all of them (but block all of them).  Opening the 1 alert in the Threat analyzer shows you the count of alerts supressed in that 120 second span.


          Message was edited by: SGROSSEN on 1/27/12 5:55:00 PM CST
          • 2. Re: NSP - AutoAck based on attack filter assignment



            Thanks for confirming!  I thought that may be the case, and I had also looked at the alert throttling.  I think the key word you have used above is granular, with respect to both alert filtering and supression.  Not wanting to big up other vendors (From a technical perspective I believe McAfee is still at the front, and Gartner also agree!), but from an operational perspective I dont tend to see clients getting as much out of this product range as would be possible with granular options.  Cisco (although I havent worked with their 42xx for a while) have supression options for each alert, and the attack filters contain settings that let you pick exactly what you want to filter out (eg remove alert, remove log, dont block, block) etc.  Would it be helpful if I raise a PER?  I like the McAfee sensors, and would love to see them raise there game when it comes to assisting with day to day operations for clients.