Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sshapiro
New Contributor

Snort.TCP.SACK.Option.DoS IPS Whitelisting

Hello!

 

We are getting many alerts from IPS about Snort.TCP.SACK.Option.DoS.  The sourcees are ads.ebay.com and contacts.ebay.com right now.  We want to whitelist this and be able to not receive anymore alerts made by this.  How do I go about doing this? 

2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

You can add a signature with Name:Snort.SACK.Option.Dos to your sensor and change the action to Pass or monitor (right-click in GUI to see all options) to allow all of those. If you want to limit the allowed sources to some specific ones, you probably need to create a new policy above the current one to specify the source and apply the sensor you copied and modified while you keep the original sensor on the original policy.

fernandezm_FTNT

Under 'Security Profiles', 'Intrusion Prevention' ensure you have the correct IPS Profile selected (the one in the policy that is firing).

 

Go to 'IPS Signatures' and choose 'Add Signature'  Filter by name and choose "Snort.TCP.SACK.Option.DoS" and on the bottom, choose 'Use Selected Signature'.  Once selected, move over to the 'Action' column and do as the other post said, by right clicking it and choosing the option there.  I would suggest using 'monitor' since you will get the hits in your logs. 

 

Additionally, and I recommend it, is to add an 'IP Exemption' if the offending IP is coming from the same IP(s) or block, select the "Snort.TCP.SACK.Option.DoS" entry you just created, and click "Edit IP Exemption".  Once there 'create new' and then add the source and destination.  This will then apply the 'Action' from the above step to ONLY the IPs that match the exemptions.  So any OTHER IP that triggers that signature will still do the default action. 

 

From what I can see it is a low severity signature anyhow so it is probably more noise, but better safe than sorry.

 

hope this helps.

 

Manny Fernandez Team Lead Systems Engineering Commercial SE, Miami @secprimate fernandezm@fortinet.com www.infosecmonkey.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors