After a signature set update, the Trellix Intrusion Prevention System alert filter no longer filters alerts
Last Modified: 2024-01-24 10:56:39 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
After a signature set update, the Trellix Intrusion Prevention System alert filter no longer filters alerts
Technical Articles ID:
KB60067
Last Modified: 2024-01-24 10:56:39 Etc/GMT EnvironmentTrellix Intrusion Prevention System (Trellix IPS)
SummaryA Defined Trellix IPS alert filter works correctly until a new signature set is installed.
ProblemA Trellix IPS administrator who wants to ignore alerts caused by a particular host has configured an alert filter. The administrator has associated the filter with attacks in a policy.
The filters work correctly until the administrator upgrades the signature set and pushes it to the Sensor. Alerts are displayed in the Alert Manager, showing some attacks from that particular IP address. You expect these alerts to be filtered out. System ChangeYou upgraded to a new signature set.
CauseAny new attacks in the new signature set aren't automatically associated with the defined alert filter. Alerts are displayed for the new attack.
Solution 1The best approach is to use an ACL instead of an alert filter. This approach allows traffic from that vulnerability scanner to be ignored.
Define an ACL with the source IP of the vulnerability scanner:
To apply the configuration update:
Solution 2
Another option is to associate the alert filer with the new attacks manually. See the "IPS Configuration" section of your Product Guide for your software release, specifically information about managing IPS settings, for full information about this process. Related InformationFor product documents, go to the Product Documentation portal.
Affected ProductsLanguages:This article is available in the following languages: |
|