Configuring a Network IPS or Host IPS to ignore or whitelist traffic from certain IP addresses

Technote (FAQ)


Question

How can you configure a Network IPS or Host IPS to ignore or whitelist traffic from certain internal hosts without creating firewall rules?

Answer

To configure a Proventia GX appliance to ignore traffic (or events) from certain ip address(es), we have provided the pam.report.filter* advanced parameter. All traffic or event(s) with a source or destination of the defined ip address(es) will be ignored. Users can add this parameter to the Tuning Parameters or Local Tuning Parameters policy in the following contexts:


Filtering IPS Events by IP Address (Source or Destination)

Example Scenario: We have a scanner that routinely generates many security events during audit scans. Because we know that these events are benign, we don't want our IPS using the extra system resources to process these events. We also do not want to use our Database to store all this unnecessary security event data. We can filter this traffic at the inspection engine level by using the following tuning parameter:

Name: pam.report.filterall
Value: ip addr 192.168.0.1

There are many different ways the Value field can be completed depending on your needs. here are some examples of different ways this can be done:

Name: pam.report.filterall
Value: string

To filter events by Value String example
Single IP (Source or Destination) ip addr 192.168.0.1
Single Source IP Address ip intruder addr 192.168.0.1
Single Destination IP Address ip victim addr 192.168.0.2
All events from/to a Subnet (Using CIDR notation) ip addr 192.168.0.0/24
All traffic from.to a range of Addresses ip addr 192.168.0.1-192.168.0.20
Note: To add multiple values, separate them using a comma (with no space).


Filtering IPS Events by Specific Event ID and IP Address (Source or Destination)

Example Scenerio: We use the RDP_Login audit event to monitor remote access on our admin VLAN. The common management system is 10.0.0.23. We don't want to see the RDP_Login events from this system. In order to filter IPS inspection from this source using this IP address, we first need to find the issueid for RDP_Login. There are two ways this can be done. First, you can Right-click the event in the Analysis View in the SiteProtector Console and choose Open Event Details... or you can look at the PAM.chm and find the event there. Both of these source are considered to be authoritative and will provide the issueid for the event you are looking for. The issueid for RDP_Login is 3113009. We will use the following tuning parameter for this example:

Name: pam.report.filter.3113009
Value: ip addr 10.0.0.23

As with the filterall parameter, the filter parameter can use all the Value variants that the filterall parameter does.

Name: pam.report.filter. issueid
Value: string


Using Multiple filterall or filter Parameters

It is sometime necessary to add multiple instances of the aforementioned parameters depending on administrative need. For example you could create one parameter to filter event generated by a vulnerability scanner and another to ignore events for a particular host.

You can add multiple instances of the parameter to filter more than one address entry by adding an index to the parameter name.

Example using multiple filterall parameters:

Name: pam.report.filterall.0
Value: ip addr 192.168.0.9

Name: pam.report.filterall.1
Value: ip addr 10.0.0.0/16

Example using multiple filter parameters:

Name: pam.report.filter.3113009.0
Value: ip addr 192.168.9.0/24

Name: pam.report.filter.3113009.1
Value: ip addr 10.10.8.130

If the above information does not resolve your issue, contact IBM Security Systems Customer Support.


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security Network Protection Not Applicable Firmware 5.1, 5.1.1, 5.1.2, 5.2.0, 5.1.2.1
Security Proventia Virtualized Network Security Platform Firmware 4.1, 4.3, 4.4, 4.5, 4.6

Historical Number

4559

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

1.7, 1.8, 2.3, 2.4, 2.5, 3.1, 3.2, 3.3, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.1

Operating system(s):

Platform Independent

Software edition:

All Editions

Reference #:

1436125

Modified date:

2014-10-07

Translate my page

Machine Translation

Content navigation