excluding threats from TAP allerting?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

excluding threats from TAP allerting?

L4 Transporter

We have a TAP interface listening to a number of vlans (internal and external)

 

We get a lot of noise in our allerts from threats we would prefer not to get alerted on.

 

For example, presently "SipVicious"  scans are occuring all the time to what are actually unused IP addresses on one VLAN.

 

 

How can we dial these out???

 

Thanks


Rob

1 accepted solution

Accepted Solutions

In this exception you have action 'drop'. That will always be logged. Change to allow in exception.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@RobinClayton,

I imagine if you are using a TAP interface you are just in the process of actually getting all of this setup, and therefore likely using the default profiles. This will by default cause an alert to be generated, but if you use a profile other than the default you can actually build out an exclusion within the profile to ignore certain threats. 

I would be slightly more concerned however that you are getting alerts for scans taking place on the tap interface. Have you properly investigated these and verified that there aren't actually scans taking place across your network for some reason? If it's a false positive then I would look at adding an exclusion into the profile if you truly want to just get rid of the alerts that are being generated. 

Here's all of the IDs that you would need to exclude from a Spyware profile. 

Capture.PNG

I do have Specific profiles for the Tap for (AV/AS/VP)

 

And on the AS profile where SIPVicious can be found I have added an exclusion,

 

So "SIPVicious" is on the Anti-Spyware profile, I have a exclusion for the "Audit-Tool" as that's the only one we see.

 

But the alerts still come though.

 

 

ips.jpg

 

 

This particular traffic is on the outside of the network, it's being picked up as there is an un-routed "VLAN" on one of the monitored switch ports.

 

But we also get a lot of alerts generated because we run our own internal vulnerability scanner, so we generate our own false positive results.

 

Rob

 

 

 

 

 

 

 

In this exception you have action 'drop'. That will always be logged. Change to allow in exception.

Ah right, will give that a go, althought the scans for that particular threat appear to have stopped now anyway.

 

Cheers

 

Rob

Thanks,

 

I am now not getting bombarded by unwanted alerts.

 

Rob

  • 1 accepted solution
  • 2335 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!