07-10-2017 02:16 PM
I have vulnerability profile with action for High severity signatures as "alert". I then configured an exception for SSH Brute Force (ID 40015) as "block-ip, src and dst (30 mins)". Everything worked well until we had issues for the systems exiting from our own network and we had to provide an exception for our egress ip. We then added IP address exception under the signature matching our egress ip. Post this the signature stopped blocking SSH brute force attempts for rest of the world. Can someone please help me understand behavior of IP exception in this case? I need SSH brute force signature work for all ip addresses except my company's egress ip.
07-11-2017 05:43 AM
How exactly did you setup your IP address exemption, can you post a screenshot of that. It's pretty common to get this type of thing messed up and it's not exactly intuative on the GUI. The following article is pretty good at explaining how threat exemptions actually work; it doesn't really work how one would logically think it would.
07-18-2017 10:46 AM
Isnt exception reverse of main action? Our threat profiles are configured with category High (server and client) as "Alert". We then configure exception for High severity signatures under Exception by "Enabling" particular signature and action as "reset, drop" etc. So basically I want this exception to have IP exempt for my egress ip address to NOT block. I think my logic is reverse and IP exempt is going to block the ip instead of providing exception?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
