Hello all, I have setup an Attack Response with a custom filter. The email alerts are making it to me fine when the conditions are met, but the hosts in the conditions that triggered the response aren't being blackehold. I have the strikeback set to blackhole all attacking hosts. My question is, since the all the events in the trigger are type netprobe and priority minor, are the IPs not blackholed because the events are not type attack?
Because the firewall cannot confirm whether or not the netprobes have been spoofed, by default, we do not allow blackholing of them.
Go to IPS Attack Responses and click the 'Response Settings' button in the bottom-right corner.
Check the box next to 'Blackhole source IP if attack IP cannot be confirmed' and Save this change.
Does the blackhole now work?