NSX IDS Severity incorrectly categorised for medium severity signatures
Article ID: 371827
Updated On:
Products
Issue/Introduction
You are using NSX 4.1.X using NSX IDS/IPS.
In the UI the IDS Severity is illustrated as Critical however checking the signature details the signature severity is shown as medium.
In the NSX logs we can see the signature is reported as medium with no reference to critical as per the UI results:
...
"alert.metadata.signature_severity": [
"Medium"
...
"alert.signature": "SLR Alert - EXPLOIT Serialized Java Object Calling Common Collection Function",
"alert.signature_id": 4103165,
...
NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.
Environment
VMware NSX networking and security installation.
Cause
This is a known issue where signatures with signature_severity classed as medium have incorrect NSX IDS Severity mapping. For medium severity signatures NSX uses the CVSS score to classify the signatures. This score can differ from the signature_severity, hence the different IDS Severity classification.
Resolution
This is resolved in VMware NSX 4.2.
Feedback
