Hi folks,A quick one, I'm trying to backup an UTM VM over IPsec. It works fine although I've had to modify two IPS signatures; 48812 & 48814 (which i've set to alert only).
Based on the IPS notification, I would appreciate if anyone could give me a hint at how to make a correct exclusion for that backup traffic, effectively excluding it from all IPS scanning. I suspect the local snort DB itself transiting on the wire and false positively triggering IPS.
I've tried to make a service entry with source port 902 / dst port 1:65535 and excluding IPS on that service although this fails.
Thanks for any inputs.
Message........: MALWARE-OTHER Ransomware SamSam variant detectedDetails........: www.snort.org/searchTime...........: 2020-05-23 06:08:31Packet dropped.: noPriority.......: highClassification.: A Network Trojan was DetectedIP protocol....: 6 (TCP) Source IP address: 22.214.171.124 (fatburgers.wh.gov)Source port: 902 (ideafarm-chat)Destination IP address: 126.96.36.199Destination port: 26135
Please show us a representative line from the Intrusion Prevention log. If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical or just in the same subnet.
Cheers - Bob
Out of curiosity, what backup technology (Or product) is used for that? And in addition to the request from Bob, maybe show a screenshot of your IPS exclusion.