topic Filtering verbose alerts in Network Security

Filtering verbose alerts

gdntsoc — Sun, 10 Mar 2019 09:37:07 GMT

Greetings all. I'm having some difficulties implementing event filters for a 4215 running 5.0.4.

1. I've globally enabled verbose alerting via the CLI by doing

# service event-action-rules rules0

# overrides produce-verbose-alert

2. I want to filter 'TCP SYN Port Sweep' (3002 0) so it doesn't get logged to the idsEventStore. I've created the following single filter,

# service event-action-rules rules0

# filters insert foo begin

# signature-id 3002

# subsignature-id-range 0-10

# actions-to-remove produce-verbose-alert

# filter-item-status Enabled

# stop-on-match True

I save my changes and when running local scans I see the event still being logged but WITHOUT the triggerPacket info. OK, I edit the rule and change to

# actions-to-remove produce-alert

run scans again and the event appears in the idsEventStore WITH the triggerPacket.

It appears I have to create two identical filter rules, first one with

# actions-to-remove produce-verbose-alert

next one with,

# actions-to-remove produce-alert

in order to completely filter 'TCP SYN Port Sweep' from the idsEventStore and I don't see it. So my question to the group is,

How does one create a single event filter rule to drop verbose alerts? Note: I need to have produce-verbose-alert set globally for troubleshooting.

Thanks in advance for the assistance.

Re: Filtering verbose alerts

marcabal — Thu, 01 Sep 2005 21:28:20 GMT

When creating a filter you can specify multiple actions to remove. In IDM you hold down the control key to select each additional action. In IDM I think you put a "|" between each action you want to remove: "produceAlert|produceVerboseAlert".

You will need to use the one filter to remove All actions that produce any kind of alert.

So you need to remove the following actions at a minimum:

produceAlert

produceVerboseAlert

requestSnmpTrap

logAttackerPackets

logVictimPackets

logPairPackets

The last 5 actions above will force an alert to be produced Even if produceAlert has been filtered out. So you have to remove them as well. This is sort of stated in the IDM guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1062278

But was not made clear in the CLI guide.

If you want to prevent all the actions (including those that don't produce an alert) then enter every action in the actions to remove section.

(NOTE: This is much easier to do in IDM. You select the top action, Hold down Shift key, and select the last action, and all the actions will be selected for removal).

It sounds like you are not interested in the 3002 signature at all. If this is the case, then the simplest thing to do is to just Disable the signature, and not worry about the filters.

The filters shoudl really only be used if you want to filter for specific address ranges, or want to filter out some but not all of the actions.

If you want to filter out All actions for All ip addresses, then just Disable the signature instead.

It will save on internal processing within the sensor.

Re: Filtering verbose alerts

gdntsoc — Fri, 02 Sep 2005 12:37:51 GMT

Thank you for the reply.

Yes, I did fail to mention that I DO want to filter out verbose alerting for specific ip ranges. Using the CLI is it possible to specify multiple actions to remove using a single statement, for example,

#actions-to-remove produce-alert produce-verbose-alert

or will I need to create multiple filters, one for each. Thank you.

Re: Filtering verbose alerts

marcabal — Fri, 02 Sep 2005 15:02:05 GMT

I had a typo in my earlier response.

One of the lines should have read:

In the CLI you put a "|" between each action you want to remove: "produceAlert|produceVerboseAlert".

To remove all actions the CLI configuration line in that filter would look like:

Re: Filtering verbose alerts

janderjulot — Thu, 22 Sep 2005 00:42:18 GMT

I have the same problem as gdntsoc in my IPS 4240. Basically I want to created a filter for a

signature to trigger only for a specific destination address. It seems that the event

filter I created for TCP SYN Port Sweep does not work. The secmon event monitoring still

shows that ip outside the my ip space in my filter is still being log.

The following are the settings of the filter event:

1st filter (Trigger the signature on this address)

Filter name : filter1

SigId : 3002

SubSig: 0-255 (default)

Attacker Address: 0.0.0.0-255.255.255.0 (default)

Ports : 0-65535 (default)

Victim Address : 10.10.10.10 - 10.10.10.90

Ports : 0-65535 (default)

RR Thrsh Range : 0-100 (default)

Action to subtract : none (default)

Stop on Match : True

Enabled ; True

2nd filter (Disable/Filter the signature on other address)

Filter name : filter2

SigId : 3002

SubSig: 0-255 (default)

Attacker Address: 0.0.0.0-255.255.255.0 (default)

Ports : 0-65535 (default)

Victim Address : 0.0.0.0-255.255.255.0 (default)

Ports : 0-65535 (default)

RR Thrsh Range : 0-100 (default)

Action to subtract : none (log-attacker packets|log pair-pockets|log-victim-packets|

produce-alerts|produce-verbose-alerts)

Stop on Match : True

Enabled ; True

I want this filter to operate so to avoid over

log it produce on the eventstore. Is there a problem

with my settings??

Thanks,

Jander