Video Screencast Help

IPS is blocking Traffic from internal vulnerability Check Server

Created: 04 Feb 2013 • Updated: 05 Feb 2013 | 4 comments
This issue has been solved. See solution.

Hi All,

Good Day,

We are using Sep 12.1 RU 1 MP 1 and doesn’t using SEP firewall module on Machines and some of the Machines IPS is blocking an application and logging an event with Severity: Critical, while we are trying to run our vulnerability Check from VA application?

We need to exclude all traffic from VA server, and how we can achieve this?

A Sample Risk Log has been attached

-------------------------------------------------------------------

Event Time: 04/02/2013 13:52:20

Begin Time: 04/02/2013 13:52:23

End Time: 04/02/2013 13:52:23

Occurrence: 1

Signature Name: OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103

Signature ID: 23471

Signature Sub ID: 72833

Intrusion URL: N/A

Intrusion Payload URL: N/A

Event Description: [SID: 23471] OS Attack: MS SMB2 Validate Provider Callback CVE-

2009-3103 attack blocked. Traffic has been blocked for this application: SYSTEM

Event Type: Intrusion Prevention

Hack Type: 0

Severity: Critical

Application Name: SYSTEM

Network Protocol: TCP

Traffic Direction: Inbound

Remote IP: X.X.X.X

Remote MAC: N/A

Remote Host Name: N/A

Alert: 1

Local Port: 445

Remote Port: 3287

-----------------------------------------------------------

Thanks in advance

Ajin

 

 

Comments 4 CommentsJump to latest comment

.Brian's picture

You can add the IP of the VA server in the exlcuded hosts file in the IPS policy. See here

Setting up a list of excluded computers

Article:HOWTO81159  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81159

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
AjinBabu's picture

Hi Brian,

Thanks for your response.

Provide article is so much impressing!!!! But is it  applicable to sep 12.1 Ru1 MP 1  and we are not using SEP firewall on Machines ?

Regards

Ajin

.Brian's picture

Yes it still applies in your case. Firewall and IPS are apart of Network Threat Protection but are separate components. You can use both or only one.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

guwy's picture

Hi!

In my opinion it is applicabale in your case. Or You can use application learning and you should add it to exclusion list.