Hi,

Now that its pretty clear on how we define our IDP to detect attacks, let us also see how we can turn that off for specific set of applications/traffic/pattern if you wish for, be it the company policy or be it for any other reason (A custom application set which mimics a suspicious behavior and you want it to allow), to put it straight , anything if you think that is good (true-positive) but IDP senses bad and drops (false-positive)

Topology

1_toplogy

Initially the attack triggered is detected and scan could not get through, here are the outputs just for reference

2_idp

As we can see above attack was well detected by SRX and its blocking

3_srx_detecting

Lets add a rule-base exempt and see if that bypasses and SRX this time should not detect any of these attacks

4_rulebase-exempt-srx

Re-scanning will reveal that I am running a Ubuntu machine and scores of Vulnerability options that people might really be interested in πŸ™‚

5_bypassing_attack

Always weigh your options especially when you are bypassing anything from Normal IDP, that might prove to be very costly

Regards

Rakesh M

Advertisements