https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611577#M92476 <HTML><HEAD></HEAD><BODY><P>event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.</P><P></P><P>as far as lowering the severity...the only way to do that is by modifying the specific signature.</P></BODY></HTML> Thu, 07 Sep 2006 01:23:41 GMT mhellman 2006-09-07T01:23:41Z https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611574#M92473 <P>how can I tune sig 3883 by attacker IP? Our VMS server is triggering this alert when it hits cisco (probably for sig updates) so i want to tune the sig so it ignores alerts from the VMS server.</P><P></P><P>i dont see an option under "tune" for that signature for the attacker or victim IPs.</P><P></P><P></P> Sun, 10 Mar 2019 10:12:07 GMT https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611574#M92473 slug420 2019-03-10T10:12:07Z https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611575#M92474 <HTML><HEAD></HEAD><BODY><P>You don't need tune the signature, you need to create an event action filter.</P></BODY></HTML> Wed, 06 Sep 2006 17:05:16 GMT https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611575#M92474 mhellman 2006-09-06T17:05:16Z https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611576#M92475 <HTML><HEAD></HEAD><BODY><P>i was looking in that area but did not see a way that the event action filter could generate no event, or an event of a lower severity level than was set on the signature itself. All that looked to let me do was tell it was action to take, IE shun, block, reset, alarm, etc.</P><P></P><P>i want it to do nothing if it is an attacker ip of x.x.x.x or s.s.s.s</P><P></P><P></P></BODY></HTML> Wed, 06 Sep 2006 23:09:50 GMT https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611576#M92475 slug420 2006-09-06T23:09:50Z https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611577#M92476 <HTML><HEAD></HEAD><BODY><P>event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.</P><P></P><P>as far as lowering the severity...the only way to do that is by modifying the specific signature.</P></BODY></HTML> Thu, 07 Sep 2006 01:23:41 GMT https://community.cisco.com/t5/network-security/tuning-3883-by-attacker-ip/m-p/611577#M92476 mhellman 2006-09-07T01:23:41Z