Custom Threat is being identified, but not taking the correct action.

Reply
L1 Bithead

Custom Threat is being identified, but not taking the correct action.

We have a custom vulnerability for Datanyze Scraping that is being idenfied but only alerting.  This signature looks for http-req-headers and dns-req-headers for the value of Datanyze.  This is working great, I can see the traffic in the threat log so I know it is being properly identified.

 

The configuration of the signature has it set as Severity: Medium, Default Action: Reset Both, Direction: Both and Affected System:  Client-and-server.

 

I checked the policies where the traffic is coming in on and it has the correct vulnerability profile.  Note that on the profile we have criticals - mediums set to do a reset-both.  We also are not using app-id on this policy but traditional 80/443 service ports.

 

Any idea why this would be happening?  My next step is a support ticket but would like to figure this one out on my own.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!