IPS - new signature's action set to default instead of the action specified in rule

Reply
L5 Sessionator

IPS - new signature's action set to default instead of the action specified in rule

Hello.

I have a general IPS profile with a rule (named block-crit,high) which includes all signatures with severity 'critical' and 'high'. Action for the rule is set to 'block'. I have automatic updates on for IPS signatures. Yesterday a new signature (OpenSSL SSL/TLS MITM vulnerability) was released with severity critical. When I checked my IPS profile today i noticed that signature was correctly included in above rule (block-crit,high) but the action for this signature was set to 'default (alert)' despite the action for rule being 'block'.

Is this expected behaviour? Are all new signatures set to default action? Can you set new signatures to block?

pa-ips.jpg

Best regards,

Simon Antonic

L4 Transporter

Re: IPS - new signature's action set to default instead of the action specified in rule

Hi

According to my knoweladge this is OK IF your "rules" section of this profiles looks like my:

2014-06-09_130656.png

2014-06-09_130622.png

This is example with Heartbleed because is easy to verify :smileywink:

My thread log have a lot of entries like:

2014-06-09_130927.png

So this is proof that is working.

Regards

SLawek

L5 Sessionator

Re: IPS - new signature's action set to default instead of the action specified in rule

Thank you for your response.

Yep, action in rule is on 'block'. I just wasn't 'lucky' enough to find an event triggered by this signature in logs to verify how it works.

Still a way to check current response for certain signature would be useful.

L5 Sessionator

Re: IPS - new signature's action set to default instead of the action specified in rule

Ok, I've come across the same problem again and still haven't found a solution for it.

How do you check what is the set action for certain signature? I couldn't find a CLI command for it and in GUI when you check 'show all signatures' every signature is listed with the default action and not with the action set by rule.

I believe this is a very important feature and I'd really need a way to check set actions for signatures in certain profile. Waiting for an attempt of exploit which would trigger that signature to happen and checking logs afterwards is not an answer.

Am i gettting a 'contact your SE for feature request' answer next? :smileyhappy:

Not applicable

Re: IPS - new signature's action set to default instead of the action specified in rule

are you using the built in ips profiles?

L4 Transporter

Re: IPS - new signature's action set to default instead of the action specified in rule

Santonic,

The action set in the vulnerability Rules are coherent with the default action set with individual signatures. In the exceptions tab, you just add an exception for an individual vulnerability signature and change the action according

to you requirements saying that exempt the action set in the Rule for this signature.

To see the default action set on a vulnerability signature, open the profile and navigate to exceptions tab. Check the show all signatures option which shows all the signatures with the default action associated with them.

Hope this is helpful and not confusing.........:)

Thanks

Highlighted
L2 Linker

Re: IPS - new signature's action set to default instead of the action specified in rule

Hi Simon,

You are right and that is the expected behavior.

When you create a rule and choose the action for that rule to "block" for the severities "critical and high" and have chosen "Any" in the CVE and Vendor-ID column, then any CVE (even CVE whose default action is alert) will be blocked. The vulnerabilities rules and the corresponding action in that rule (for any CVE/Vendor-ID OR for specified CVE/Vendor-ID) take precedence over the default threat ID actions. Again, the rule must be matched correctly for the corresponding action to take place.

You can change the default action for threat IDs. Click the "Exceptions" tab and then click "Show all signatures". Enter the threat ID in the search bar and click on the action to see the dropdown. Now choose the required action and ensure to check the "Enable" box.

Thanks

L5 Sessionator

Re: IPS - new signature's action set to default instead of the action specified in rule

Yes, I understand how it works (I think). The problem is that you can't see neither in GUI nor in CLI what is the current action for certain signature. Yes, you can see the rules, you can see in which rules the signature is included, and you can figure out what the action is.

But there is no view which would list the signature with the current set action, unless you make it an exception.


I know it's only a view missing and not functionality, but it would be really nice to see signature(s) listed with its current action for certain security profile like all the IPS systems have. I'd be happy already with a CLI command to check response, maybe something like "show policy security-profile 'profile_name'  AlertID 'ID_number' " and the output is signature name and set action for that profile.

L2 Linker

Re: IPS - new signature's action set to default instead of the action specified in rule

Hi Simon,

As of now, the options to view the default action is by checking "Show all signatures" in the Exceptions tab. You can also use the following CLI commands to view all the threats and their associated default action.

> configure

# show predefined threats  ---> displays all the threats. Use forward slash followed by the threat ID to search for a specific threat ID (/36729)

# show predefined threats vulnerability <threatID>

You may find https://threatvault.paloaltonetworks.com/ to also be helpful as it provides more information Click the magnifying icon to view the default action.

You can contact SE to place any feature requests.

Hope this helps.

Thanks

L5 Sessionator

Re: IPS - new signature's action set to default instead of the action specified in rule

Yes, seeing the default action is easy.

But seeing the current set action for certain signature (in specified profile) is impossible. You can only see in which rule it is included and then check the action for that rule. But I already had customers asking: "ok, show me that this signature is indeed in blocking mode for this profile". 

I'll open a feature request. And hopefully some of the readers here will help me with same requests :smileywink:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!