topic Re: SSH Brute Force and IP exception in General Topics

SSH Brute Force and IP exception

Sly_Cooper — Mon, 10 Jul 2017 21:16:20 GMT

I have vulnerability profile with action for High severity signatures as "alert". I then configured an exception for SSH Brute Force (ID 40015) as "block-ip, src and dst (30 mins)". Everything worked well until we had issues for the systems exiting from our own network and we had to provide an exception for our egress ip. We then added IP address exception under the signature matching our egress ip. Post this the signature stopped blocking SSH brute force attempts for rest of the world. Can someone please help me understand behavior of IP exception in this case? I need SSH brute force signature work for all ip addresses except my company's egress ip.

Re: SSH Brute Force and IP exception

BPry — Tue, 11 Jul 2017 12:43:16 GMT

@Sly_Cooper,

How exactly did you setup your IP address exemption, can you post a screenshot of that. It's pretty common to get this type of thing messed up and it's not exactly intuative on the GUI. The following article is pretty good at explaining how threat exemptions actually work; it doesn't really work how one would logically think it would.

https://live.paloaltonetworks.com/t5/Management-Articles/Add-a-Vulnerability-Exception-to-block-Specifically-Based-Upon/ta-p/66064

Re: SSH Brute Force and IP exception

Sly_Cooper — Tue, 18 Jul 2017 17:46:55 GMT

Isnt exception reverse of main action? Our threat profiles are configured with category High (server and client) as "Alert". We then configure exception for High severity signatures under Exception by "Enabling" particular signature and action as "reset, drop" etc. So basically I want this exception to have IP exempt for my egress ip address to NOT block. I think my logic is reverse and IP exempt is going to block the ip instead of providing exception?