Does anyone have a benign, false positive site that can be used for testing of the IDS of Netskope?
Failing that, a true positive that I can turned the IDS on for in the Dev tenant?
I primarily want to see what it looks like in the logs so when I put it in monitor mode in production I know what I am looking for.
Page 1 / 1
@wilson downloading the eicar test file should trigger IPS if I recall correctly. This assumes you have all signatures enabled as IPS has eicar detection for both web and non-web protocols:
Thanks @sshiflett, I appreciate the effort.
It appears that the policy of preventing malicious downloads occurs before the IDS protection. I guess I could disable the Threat Protection policies temporarily in the Dev tenant and see what happens after that, but that might be more effort and more risky then the proposed results. I will think about it some more.
I think my desire now can be rated as a “nice to have” and I will just have to proceed to production claiming that the monitor only mode is safe enough in that it doesn’t perform any action.
@wilson let me see if there’s any other methods to trigger it. I don’t recall off the top of my head but will double check.
You could also bypass the eicar hash while still retaining all other threat protection policies.
@wilson let me see if there’s any other methods to trigger it. I don’t recall off the top of my head but will double check.
You could also bypass the eicar hash while still retaining all other threat protection policies.
@sshiflett Simple and brilliant idea. That provided the evidence that I was looking for.
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account.