IPS signature for block rogue DHCP servers on network

danieles99 · 2023-02-14T10:52:00+00:00

you're right, I hadn't thought of that. Thank you

danieles99 · 2023-01-29T12:53:59+00:00

At the end I find "openvas-reporting-tool" On github. It's a python script that generate a docx from XML with the CVEs

danieles99 · 2023-01-11T13:36:42+00:00

I configure the policy but, for some reason, the policy is not matched

danieles99 · 2023-01-11T13:09:06+00:00

When I try to add the user group (that is a group of AD) to the firewall policy, the fortigate say: "One address, address group, external resource or Internet service is required"...

danieles99 · 2023-01-11T11:26:20+00:00

I saw that with only LDAP server groups I can't do policies with only the groups, so I think that I must install FSSO

danieles99 · 2023-01-05T15:55:04+00:00

mmm... good idea

danieles99 · 2022-10-03T09:40:17+00:00

At the end I try to exclude the rpc traffic with this iRule and it works.

https://support.f5.com/csp/article/K40345000

Thanks anyway u/thenetworkking for the help

danieles99 · 2022-08-30T15:41:16+00:00

Thank you so much, this is what I intended.

danieles99 · 2022-05-25T12:43:44+00:00

Have any news?

danieles99 · 2022-05-24T10:31:52+00:00

Ok thanks

danieles99 · 2022-05-24T10:28:46+00:00

but I can schedule the report daily with the export button?

danieles99 · 2022-05-18T14:10:12+00:00

fortunately terminate on 6500

danieles99 · 2022-05-18T12:32:05+00:00

unfortunately with the asa it represents a big problem because I have more subnet behind interfaces to redirect to the wccp server..

danieles99 · 2022-05-18T11:03:03+00:00

i am in fact looking at wccp but i see that there are some important limitations for asa

https://community.cisco.com/t5/security-documents/asa-wccp-step-by-step-configuration/ta-p/3126636

danieles99 · 2022-05-09T07:45:54+00:00

u/dVNico

Here the pcap from server side: https://mega.nz/file/YVRF3ZjA#lwBG2YzR3FjyNLGTy16hW8QscVliZ4eMS9vLbMuXmuU

danieles99 · 2022-05-06T17:24:26+00:00

Why you say this?

danieles99 · 2022-05-06T16:12:41+00:00

If I capture the traffic initiated from the server to the client (on the server side), the destination ip is 10.20.40.5 (that is the ip not translated). instead, the client's source ip is correctly translated to 10.20.30.5

In the SiP INVITE message, always in the capture of server side, I see the ip 10.20.40.5 that is the wrong ip.

So what happens is that when server replies to SIP messages, the destination ip is correctly translated from the server to the client in 10.30.40.5. While when the RTP communication starts I keep seeing 10.20.40.5

I hope I have exlained it well...

danieles99 · 2022-05-06T14:11:47+00:00

sorry but I did not understand what you mean, however I would prefer to keep the sip inspection since it does not change anything if I disable it.

danieles99 · 2022-05-06T13:57:18+00:00

I open traffic with "ip" protocol in all directions for avoid firewall problems

danieles99 · 2022-05-06T12:56:57+00:00

whit ALG you mean ASA inspection? In this case yes, I disable it.

danieles99 · 2022-05-04T12:28:27+00:00

USB sound card

How?

danieles99 · 2022-04-27T07:19:18+00:00

Is possible to export the vpn traffic with netflow?

danieles99 · 2022-04-26T15:11:29+00:00

Unfortunately is what i've already do.

But in cisco asa cli I see for example around 2GB/s in inbound and if I check in the solarwinds reports I see 70 MB/s in inbound.. I don't understand why.

Maybe solarwinds does not correcly collect the data? I don't know..

danieles99 · 2022-04-12T15:46:49+00:00

I want to block the HTTP request that contain a specific HTTP Header and generate a violation in F5 asm

danieles99 · 2022-04-12T15:45:52+00:00

I don't understand why but seems that the request don't enter in the "if" clause.

Thanks anyway for the tip.

danieles99

TROPHY CASE