https://community.cisco.com/t5/network-security/signature-triggering/m-p/904119#M85093 <HTML><HEAD></HEAD><BODY><P>Yes, they both get triggered.</P><P></P><P>-brad </P><P><A class="jive-link-custom" href="http://www.ccbootcamp.com" target="_blank">www.ccbootcamp.com</A> </P><P>(please rate the post if this helps!) </P></BODY></HTML> Sat, 15 Dec 2007 10:10:46 GMT ccbootcamp 2007-12-15T10:10:46Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904118#M85089 <P>If the conditions match two signatures, do they both get triggered or only the first one?</P><P></P><P>Thanks</P> Sun, 10 Mar 2019 10:54:35 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904118#M85089 mai2mai2m 2019-03-10T10:54:35Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904119#M85093 <HTML><HEAD></HEAD><BODY><P>Yes, they both get triggered.</P><P></P><P>-brad </P><P><A class="jive-link-custom" href="http://www.ccbootcamp.com" target="_blank">www.ccbootcamp.com</A> </P><P>(please rate the post if this helps!) </P></BODY></HTML> Sat, 15 Dec 2007 10:10:46 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904119#M85093 ccbootcamp 2007-12-15T10:10:46Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904120#M85100 <HTML><HEAD></HEAD><BODY><P>In CISCO IPS, can we wrtie a 'pass' rule to ignore good traffic and prevent it from trigger other signatures that cannot be turned off?</P><P></P><P>Thanks</P></BODY></HTML> Mon, 17 Dec 2007 13:08:28 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904120#M85100 mai2mai2m 2007-12-17T13:08:28Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904121#M85105 <HTML><HEAD></HEAD><BODY><P>you should be able to use an event action filter for this purpose. You can create a filter and put it at the top and set it to "stop on match". You can match on signature, ip address, port, and risk.</P></BODY></HTML> Mon, 17 Dec 2007 14:53:47 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904121#M85105 mhellman 2007-12-17T14:53:47Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904122#M85111 <HTML><HEAD></HEAD><BODY><P>Thanks for your responding.</P><P></P><P>Yes, looks like the CISCO wizard only allows to filter based on signature ID, ip, port, and risk. Is it poosible to filter on other fields in the header or payload?</P></BODY></HTML> Mon, 17 Dec 2007 19:20:49 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904122#M85111 mai2mai2m 2007-12-17T19:20:49Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904123#M85114 <HTML><HEAD></HEAD><BODY><P>Thanks Brad. Regarding the "both triggered", would there be any CISCO document I can refer to?</P></BODY></HTML> Mon, 17 Dec 2007 19:24:33 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904123#M85114 mai2mai2m 2007-12-17T19:24:33Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904124#M85117 <HTML><HEAD></HEAD><BODY><P>You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.</P></BODY></HTML> Mon, 17 Dec 2007 19:31:35 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904124#M85117 mhellman 2007-12-17T19:31:35Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904125#M85119 <HTML><HEAD></HEAD><BODY><P>Also, don't forget, when you do the custom event and enable "stop on match" you also MUST SELECT the actions you do NOT want to happen! A lot of people miss that step.</P><P></P><P>-brad</P><P><A class="jive-link-custom" href="http://www.ccbootcamp.com" target="_blank">www.ccbootcamp.com</A></P><P>(please rate the post if this helps!)</P><P></P></BODY></HTML> Mon, 17 Dec 2007 19:34:10 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904125#M85119 ccbootcamp 2007-12-17T19:34:10Z https://community.cisco.com/t5/network-security/signature-triggering/m-p/904126#M85121 <HTML><HEAD></HEAD><BODY><P>I'll confirm Brad's post. We will trigger all alerts whose conditions are met by a packet or stream. We do not "fire first and forget"...that is a recipe for evasion.</P><P></P><P>You should be aware that in a stream signature, what has come before affects what happens in the present. We are analyzing the "stream"...not just the "packet". I mention this so that you can be aware that just because a particular condition exists in a packet, a signature may not fire because of something that was present (or not present) in a previous packet.</P><P></P><P>Scott C.</P></BODY></HTML> Tue, 18 Dec 2007 15:59:30 GMT https://community.cisco.com/t5/network-security/signature-triggering/m-p/904126#M85121 scothrel 2007-12-18T15:59:30Z