Hi folks,
A quick one, I'm trying to backup an UTM VM over IPsec. It works fine although I've had to modify two IPS signatures; 48812 & 48814 (which i've set to alert only).
Based on the IPS notification, I would appreciate if anyone could give me a hint at how to make a correct exclusion for that backup traffic, effectively excluding it from all IPS scanning. I suspect the local snort DB itself transiting on the wire and false positively triggering IPS.
I've tried to make a service entry with source port 902 / dst port 1:65535 and excluding IPS on that service although this fails.
Thanks for any inputs.
=====================================================
Message........: MALWARE-OTHER Ransomware SamSam variant detected
Details........: www.snort.org/search
Time...........: 2020-05-23 06:08:31
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)
Source IP address: 1.2.3.4 (fatburgers.wh.gov)
Source port: 902 (ideafarm-chat)
Destination IP address: 4.3.2.1
Destination port: 26135
=====================================================
This thread was automatically locked due to age.
