This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS triggering on UTM VM backup

Hi folks,

A quick one, I'm trying to backup an UTM VM over IPsec. It works fine although I've had to modify two IPS signatures; 48812 & 48814 (which i've set to alert only).

Based on the IPS notification, I would appreciate if anyone could give me a hint at how to make a correct exclusion for that backup traffic, effectively excluding it from all IPS scanning. I suspect the local snort DB itself transiting on the wire and false positively triggering IPS.

I've tried to make a service entry with source port 902 / dst port 1:65535 and excluding IPS on that service although this fails.

Thanks for any inputs.

=====================================================

Message........: MALWARE-OTHER Ransomware SamSam variant detected
Details........: www.snort.org/search
Time...........: 2020-05-23 06:08:31
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)
 
Source IP address: 1.2.3.4 (fatburgers.wh.gov)
Source port: 902 (ideafarm-chat)
Destination IP address: 4.3.2.1
Destination port: 26135

=====================================================



This thread was automatically locked due to age.
Parents Reply Children
No Data