Example: Tuning an Inspection Policy element to eliminate false positives for a engine
An example of using Exception rules in the Inspection Policy element to eliminate a false positive.
The administrators in this example have started using inspection. They have installed a policy that includes only the rules defined in the Loose Inspection policy. When they install the Engine Policy, they soon start receiving alerts.
After some investigation, the administrators realize that a custom-built application causes the alert. This application communicates in a way that happens to match the pattern of how an attacker would carry out a certain exploit. The custom-built application is only used by a specific server and a few clients in the internal network. The administrators quickly edit the Inspection policies to exclude those particular hosts for the Situation in question. The administrators:
- Create Host elements to represent the server and the clients.
- Create a Group element that includes the client’s Host elements.
- The administrators name the Group so that it is immediately clear from the name that the Group contains those hosts that must contact the server running their custom-built application. This makes the new rule easier to read than if they included the hosts directly in the rule.
- Add the following rule on the Exceptions tab in their Inspection Policy element:
Table 1. Rule for eliminating a false positive Situation Source Destination Action Logging The Situation element that is mentioned in the alerts in the Logs view. The Group defining the clients. The Host for the internal server. Permit None - If the Situation matches traffic between any other hosts than those included in the Group, the IP address does not match the hosts defined in the new rule. The processing will continue to the next rule, which terminates the traffic and triggers an alert.
- The logging would not have to be set to None, because it is the default option. However, the administrators want to do so anyway to make sure any rules that they add in the future cannot accidentally set logging on for this rule.
- Refresh the policy on the Engines.