Cisco Umbrella's Intrusion Prevention System detects (and optionally blocks) packets which are deemed to be associated with a known threat, vulnerability, but also simply when the format of the packet is unusual.
Administrators choose which IPS signature list is used to detect threats based on the following default lists:
- Connectivity Over Security
- Balanced Security and Connectivity
- Security Over Connectivity
- Maximum Detection
It is important to remember that the chosen signature list will greatly impact the number of IPS False Positives encountered. The most secure modes (such as Maximum Detection and Security Over Connectivity) are expected to create unwanted IPS detections as they place emphasis on security. The most secure modes are only recommended when total security is required and the Administrator should anticipate the need to monitor and review large numbers of IPS events.
For more information on the different modes review the IPS Documentation (LINK)
Review IPS Detections
Use the Activity Search on the Umbrella Dashboard to view IPS Events. For each event there are two important pieces of information:
- IPS Signature ID/Category/Name. Searchable on https://snort.org
- CVE Number (if applicable). Searchable on https://cve.mitre.org
Not all IPS detections indicate a known exploit/attack. Many of the signatures (particularly in Max Detection mode) simply indicate the presence of a certain type of traffic, or a protocol violation. It is important to review the above sources of information along with other details about the event (eg. Source/Destination) to determine if the event requires further investigation from your security team.
The signature category can be useful in providing additional context about the type of IPS detection. Review the categories available on snort.org.
In this example, an IPS Event is linked to the following signature :
The description of the signature is as follows:
> The rule looks for PING traffic coming into the network that doesn't follow the normal format of a PING
In this case the snort rule is not necessarily detecting any particular exploit, but is instead detecting a malformed ICMP packet that was blocked. Based on the information available on snort.org, and other details about the event (eg. source/destination) the Administrator may decide that this event requires no further investigation
Some legitimate applications may not be compatible with IPS signatures, particularly when the more aggressive (Max Detection) modes are configured. In these scenarios the application may be blocked for reasons discussed in the Protocol Violation section. The application may use a protocol in an unexpected way, or use a custom protocol over a port that is normally reserved for other traffic.
Even though the application is legitimate, these detections are often valid and cannot always be corrected by Cisco.
If a legitimate application is blocked by IPS we recommend to contact the vendor of the application with details of the event / signature. 3rd party applications should be tested for compatibility with the IPS signatures at snort.org.
It is currently not possible to exclude an individual Application/Destination from IPS scanning.
Disabling IPS Signatures
If a signature is found to cause compatibility issues with a 3rd party application, the signature can be disabled (either temporarily or permanently). This should only be done when you trust the application and you've determined that the value of the application outweighs the security benefits of the specific signature.
Follow the Add a Custom Signature List (LINK) documentation for information on creating a custom signature list. You can use your current settings as a template and then disable the desired rules by setting them to Log Only or Ignore.
Umbrella support are unable to provide additional details about historical IPS Events. IPS Events inform you that traffic did not match the IPS signature - Details of the signature are publically available on snort.org. Umbrella does not store a copy of raw traffic/packets and are therefore unable to provide further context or confirmation about the nature of an IPS event.
IPS Problems / False Positives
If you wish to dispute a current IPS problem (such as a False Positive) please contact email@example.com.
In order to investigate these problems a packet capture will be required by Umbrella support. The raw contents of packets are needed to determine how the traffic triggered the IPS detection. You must be able to replicate the issue in order to generate the packet capture.
Before raising a ticket, use a tool such as Wireshark to generate the packet capture when replicating the issue. Instructions are available in our knowledgebase.
Alternatively, Umbrella support can assist with generating the packet capture. They will need to schedule a time when the issue with the affected user/application can be recreated.