Unable to exclude Fragmented packet type DOS signature from inspection using a Firewall Stateless Ignore Policy
Last Modified: 2024-01-23 10:22:02 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Unable to exclude Fragmented packet type DOS signature from inspection using a Firewall Stateless Ignore Policy
Technical Articles ID:
KB94348
Last Modified: 2024-01-23 10:22:02 Etc/GMT Environment
Trellix Intrusion Prevention System
Problem 1You see many Inbound IP Fragment Volume Too High / Outbound IP Fragment Volume Too High IP Fragment Volume Too High signature alerts.
The alerts are shown in Attack logs after you apply a Firewall Policy with the Stateless Ignore Action. The applied Stateless ignore action means that the firewall rule ignores the traffic from inspection between the client and server. No alerts are expected to appear in the attack logs. Problem 2
You want to ignore or exclude the Inbound IP Fragment Volume Too High / Outbound IP Fragment Volume Too High IP Fragment Volume Too High signature from inspection using the firewall policy. You also create a bidirectional Firewall Stateless ignore policy between the hosts. After you apply the policy, you still see alerts of this signature in the Attack log.
Solution
This outcome is expected behavior. During initial L3 processing, reassembly is performed. Post reassembly, a DOS check is applied for these reassembled packets. The check is to avoid tear-drop DOS attacks. It's performed before ACL or Firewall Rule processing for fragmented traffic. So, the Firewall Policy rule can't exclude this particular signature from inspection because it's related to fragmented packets. For other DOS attacks, the Stateless ignore Firewall Policy works as expected. Affected ProductsLanguages:This article is available in the following languages: |
|