IPS is blocking Traffic from internal vulnerability Check Server
Hi All,
Good Day,
We are using Sep 12.1 RU 1 MP 1 and doesn’t using SEP firewall module on Machines and some of the Machines IPS is blocking an application and logging an event with Severity: Critical, while we are trying to run our vulnerability Check from VA application?
We need to exclude all traffic from VA server, and how we can achieve this?
A Sample Risk Log has been attached
-------------------------------------------------------------------
Event Time: 04/02/2013 13:52:20
Begin Time: 04/02/2013 13:52:23
End Time: 04/02/2013 13:52:23
Occurrence: 1
Signature Name: OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103
Signature ID: 23471
Signature Sub ID: 72833
Intrusion URL: N/A
Intrusion Payload URL: N/A
Event Description: [SID: 23471] OS Attack: MS SMB2 Validate Provider Callback CVE-
2009-3103 attack blocked. Traffic has been blocked for this application: SYSTEM
Event Type: Intrusion Prevention
Hack Type: 0
Severity: Critical
Application Name: SYSTEM
Network Protocol: TCP
Traffic Direction: Inbound
Remote IP: X.X.X.X
Remote MAC: N/A
Remote Host Name: N/A
Alert: 1
Local Port: 445
Remote Port: 3287
-----------------------------------------------------------
Thanks in advance
Ajin
Comments 4 Comments • Jump to latest comment
You can add the IP of the VA server in the exlcuded hosts file in the IPS policy. See here
Setting up a list of excluded computers
SEP Knowledge Base
Endpoint SWAT
Hi Brian,
Thanks for your response.
Provide article is so much impressing!!!! But is it applicable to sep 12.1 Ru1 MP 1 and we are not using SEP firewall on Machines ?
Regards
Ajin
Yes it still applies in your case. Firewall and IPS are apart of Network Threat Protection but are separate components. You can use both or only one.
SEP Knowledge Base
Endpoint SWAT
Hi!
In my opinion it is applicabale in your case. Or You can use application learning and you should add it to exclusion list.
Would you like to reply?
Login or Register to post your comment.