Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5297 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to suppress nuisance IPS alerts?

SEFIT

I have IPS alerting enabled on our UTM appliance and frequently get bombarded with intrusion alerts related to "INDICATOR-COMPROMISE Suspicious .win dns query" (or similar for .pl, .tk, etc. domains), and when looking into these events I've found that they are either harmless noise or linked to dodgy links/content on websites. I've been looking for a way to suppress these alerts without having to resort to turning off alerting entirely and found the option for "Manual Rule Modification", under Network Protection>Intrusion Prevention>Advanced. In this instance the rule ID for the nuisance alert is 2101, so I've modified the rule to still drop but no longer notify:

Is this the correct approach for suppressing select alerts or should I rather be doing this in some other fashion?

Any guidance will be greatly appreciated :-)



This thread was automatically locked due to age.
Parents
  • 0

    For IPS, you should be aware of this useful link: lists.astaro.com, then choose ASGV9-IPS-rules.html

    It provides information about all of the rules supported by IPS, although it may be outdated.  It says that the Server / Misc /DNS group has 62 entries, but my UTM says it has 34 attacks, 53 warnings = 87 total.   Each entry shows the rule number and provides a link for more information.

    For this particular problem, the list confirms that your rule is in the Server / Misc / DNS group.

    So for your question, the options are:

    • Uncheck notification for the Server / Misc / DNS group within Network Protection... Intrustion Protection System... Attack Patterns (tab)
    • Uncheck email on one or more of the options within Management... Notfications... Notificatons (tab)... Intrusion Protection (section)

    As long as IPS is blocking the traffic, I don't worry too much about IPS events, so APT alert is the only entry in that group that I send to email.   The remained are evaluated using log files.

Reply
  • 0

    For IPS, you should be aware of this useful link: lists.astaro.com, then choose ASGV9-IPS-rules.html

    It provides information about all of the rules supported by IPS, although it may be outdated.  It says that the Server / Misc /DNS group has 62 entries, but my UTM says it has 34 attacks, 53 warnings = 87 total.   Each entry shows the rule number and provides a link for more information.

    For this particular problem, the list confirms that your rule is in the Server / Misc / DNS group.

    So for your question, the options are:

    • Uncheck notification for the Server / Misc / DNS group within Network Protection... Intrustion Protection System... Attack Patterns (tab)
    • Uncheck email on one or more of the options within Management... Notfications... Notificatons (tab)... Intrusion Protection (section)

    As long as IPS is blocking the traffic, I don't worry too much about IPS events, so APT alert is the only entry in that group that I send to email.   The remained are evaluated using log files.

Children
Unfiltered HTML