We are getting many alerts from IPS about Snort.TCP.SACK.Option.DoS. The sourcees are ads.ebay.com and contacts.ebay.com right now. We want to whitelist this and be able to not receive anymore alerts made by this. How do I go about doing this?
You can add a signature with Name:Snort.SACK.Option.Dos to your sensor and change the action to Pass or monitor (right-click in GUI to see all options) to allow all of those. If you want to limit the allowed sources to some specific ones, you probably need to create a new policy above the current one to specify the source and apply the sensor you copied and modified while you keep the original sensor on the original policy.
Under 'Security Profiles', 'Intrusion Prevention' ensure you have the correct IPS Profile selected (the one in the policy that is firing).
Go to 'IPS Signatures' and choose 'Add Signature' Filter by name and choose "Snort.TCP.SACK.Option.DoS" and on the bottom, choose 'Use Selected Signature'. Once selected, move over to the 'Action' column and do as the other post said, by right clicking it and choosing the option there. I would suggest using 'monitor' since you will get the hits in your logs.
Additionally, and I recommend it, is to add an 'IP Exemption' if the offending IP is coming from the same IP(s) or block, select the "Snort.TCP.SACK.Option.DoS" entry you just created, and click "Edit IP Exemption". Once there 'create new' and then add the source and destination. This will then apply the 'Action' from the above step to ONLY the IPs that match the exemptions. So any OTHER IP that triggers that signature will still do the default action.
From what I can see it is a low severity signature anyhow so it is probably more noise, but better safe than sorry.
hope this helps.
Team Lead Systems Engineering
Commercial SE, Miami
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.