Why do known good IP addresses appear on my IP Watchlist updated by DeepSight

book

Article ID: 177505

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Why do known good IP addresses appear on my IP Watchlist updated by DeepSight.

Symptoms
IP address from public and trusted companies and sites appear in the IP Watchlist in my SSIM UI


 

Cause

DeepSight identifies sites through automated sensors and a trusted IP addresses can be engaging in legitimate traffic that might trip the DeepSight firewall and IDS sensors. To be flagged as a known source IP address, the IP address must be observed by a DeepSight firewall/IDS sensor and must contact a DeepSight Honeynet within 30 hours.To identify the source of unsolicited traffic, an analysis of the network traffic originating from the Known Source IP address is performed. Further information on activity that DeepSight sensors have observed from the suspect IP address can be obtained from an IP Analysis Report, which can be run in the Custom Reports section of DeepSight TMS. Logs of egress traffic from the suspect IP address should be reviewed, identifying traffic to unknown hosts and the purpose of any suspicious traffic.

Resolution

One has a few options as to what can be done if an IP address or addresses appear in the DeepSight watchlist.

 

(Option #1)

If you have an IP address that appears in the IP watchlist in the SSIM UI and know this IP address is good and trusted, you can put that IP address within the IP Whitelist Table, under the Rules Tab of SSIM 4.6.1+ and 4.7, to stop the address from triggering incidents.

To add an IP to the IP Whitelist Table,
 

  1. Click on Rules Tab > Lookup Tables > System Lookup Tables
     
  2. Next, click on the green plus icon on the top of the right pane.
     
  3. Click in the IP Address field and type in the white listed IP address, then give it a Resolution name on the right column.
     
  4. Click the distribute icon on the top right of the SSIM client window. This will save and distribute your changes.

Note: To get the IP Whitelist table in SSIM 4.6.0, Maintenance Pack 1 needs to be applied and LiveUpdate needs to be ran on the appliance afterwards.

 

(Option #2) 

For SIM Consoles 4.7.1+, one can obtain more Information about the affected IP address as well as DeepSight contact information.

Perform the following steps from the SIM Console:

  1. Click on Incident Tile > (IP Watchlist Destination: Incident in Question)
          
  2. Click on the Event Tab below within the incident.
     
  3. Scroll over to the right until one sees the "Target IP" column.
     
  4. Right click on the red highlighted Target IP and select "Watch List Info.."

    (Click on Image for full screen)

     
  5. A new window will appear showing information related to the IP in question.  In addition, a phone number to DeepSight is listed within the disclaimer section towards the bottom of the window.

    (Click on Image for full screen)

Please understand that the SSIM Support department has no control over IP addresses that end up in the DeepSight watchlist.  If you are the owner of an IP address listed on the top offenders and you believe that the IP address is listed in error, one may contest this inclusion by contacting DeepSight.

DeepSight Client Support:
Contact Us Page

 

 

 

Attachments