Hi all,
a costumer has a vulnerability scanner in their network. Every time they run it, the "attacked" clients show a message that they've been attacked. The goal is to suppress these messages.
Our first consideration was to add the IP of the vulnerability scanner to the Excluded Hosts List in the IPS Policy. That doesn't take effect because it means that the excluded host doesn't detect any inbound attacks anymore. But all the other clients "attacked" from that host still keep detecting an incoming attack. So the Excluded Hosts in IPS Policy means inbound traffic to the excluded hosts and doens't mean that all other clients don't check for attacks when the traffic is coming from the excluded host. It took me quite a lot of time to get that.
The costumer doesn't want to:
- temporarily disable IPS
- set the attack signature to allow
Just wants to run the vulnerability scans without the "attacked" clients to show a message of an attack.
Hope you can help me with that because i've read a lot and i have no more ideas.
Thanks and have a good day.
sb_b