Hi All,
So I've been testing the IDS/IPS feature by lobbing a few Metasploit exploits. It seems that the Eternal Romance ( exploit/windows/smb/ms17_010_psexec) attack is getting through, and i was able to get a Meterpreter session(screenshot attached). It's not showing up on the Alerts as well. I'm sure IPS is enabled as it managed to block the other exploits I tried.
Any suggestions on how to tweak the rules/rulesets? tia
Which rulesets do you use? ETPRO telemetry? If yes, have a look at the different available categories and choose what fits best to your needs -> https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
Hi, sorry for the late reply...yes I've enable all ETpro telemetry rules.
It managed to block the executable upload, but it seems the initial exploit is still getting through undetected.
All ET Telemetry rulesets have been enabled and downloaded in the Download tab.
As for the policy, all etpro.* rulesets have been selected. I've also selected all rules with Action = Drop, Alert, and Disabled .
Any ideas why the initial exploit is still getting through