Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
421 Views 2 Replies Latest reply: Jul 9, 2013 10:12 AM by russel RSS
russel Newcomer 20 posts since
Mar 18, 2013
Currently Being Moderated

Jul 3, 2013 8:44 AM

Netprobe Blackhole

Hello all, I have setup an Attack Response with a custom filter. The email alerts are making it to me fine when the conditions are met, but the hosts in the conditions that triggered the response aren't being blackehold. I have the strikeback set to blackhole all attacking hosts. My question is, since the all the events in the trigger are type netprobe and priority minor, are the IPs not blackholed because the events are not type attack?

  • mtuma McAfee SME 315 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Jul 3, 2013 8:48 AM (in response to russel)
    Re: Netprobe Blackhole

    Because the firewall cannot confirm whether or not the netprobes have been spoofed, by default, we do not allow blackholing of them.

     

    Try this:

    Go to IPS Attack Responses and click the 'Response Settings' button in the bottom-right corner.

    Check the box next to 'Blackhole source IP if attack IP cannot be confirmed' and Save this change.


    Does the blackhole now work?

     

    -Matt

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points