https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331583#M96787 <P>How would I configure an event filter for SIGID 4003 so that the source IP of A.B.C.D when the source port is 53 to any destination IP any destination port is filtered so it is excluded.</P><P></P><P></P> Sun, 10 Mar 2019 09:20:22 GMT 5creedus 2019-03-10T09:20:22Z https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331583#M96787 <P>How would I configure an event filter for SIGID 4003 so that the source IP of A.B.C.D when the source port is 53 to any destination IP any destination port is filtered so it is excluded.</P><P></P><P></P> Sun, 10 Mar 2019 09:20:22 GMT https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331583#M96787 5creedus 2019-03-10T09:20:22Z https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331584#M96788 <HTML><HEAD></HEAD><BODY><P>I know how to do this using IDM. Here goes...</P><P></P><P>1) Access IDM via a browser (for example, <A class="jive-link-custom" href="https://" target="_blank">https://</A><IP of="" sensor="">)</IP></P><P></P><P>2) Use a username/password pair with administrative privileges</P><P></P><P>3) Left-click "Configuration" at the top of the page</P><P></P><P>4) Left-click "Sensing Engine" when it appears</P><P></P><P>5) Left-click "Event Filters" in the TOC menu when it appears</P><P></P><P>6) Left-click "Add" at the bottom of the page</P><P></P><P>7) In the "SIGID" field, put 4003 (or whatever signature you wish to build the exclusion for)</P><P></P><P><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> In the "SubSig" field, place a Sub-signature number if required. Otherwise, leave it as a "*"</P><P></P><P>9) Leave the "Exception" check box empty</P><P></P><P>10) In the "SrcAddrs" field, input the IP you wish to ignore (for example, A.B.C.D)</P><P></P><P>11) In the "DstAddrs" field, leave the default "*", since you don't care which destination is involved for this particular source IP</P><P></P><P>12) Left-click "Apply to Sensor"</P><P></P><P>13) Confirm the details are correct in the resulting page and then left-click "Save Changes" icon near the top right-hand corner of the page</P><P></P><P>14) Enjoy the silence...</P><P></P><P>BTW, you cannot filter a specific source host based on a <B>specific source port</B>. You'll have to choose to ignore all Nmap-like activity that may originate from your chosen source IP.</P><P></P><P>Assuming that this is in fact a DNS server however, this is an acceptable risk to assume, since you would likely see other signs of compromise besides outbound Nmap scans in the event that someone owns your DNS server.</P><P></P><P>I hope this helps,</P><P>Alex Arndt</P></BODY></HTML> Wed, 16 Mar 2005 19:32:38 GMT https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331584#M96788 a.arndt 2005-03-16T19:32:38Z https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331585#M96791 <HTML><HEAD></HEAD><BODY><P>Yes it does. I got the CLI commands working to do just as you outlined using IDM. I just was not sure if flitering on a specific source port is available. I'll configure the filter based on source IP as you stated.</P></BODY></HTML> Wed, 16 Mar 2005 21:56:40 GMT https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331585#M96791 5creedus 2005-03-16T21:56:40Z https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331586#M96793 <HTML><HEAD></HEAD><BODY><P>Filtering on ports is added in version 5.0.</P></BODY></HTML> Thu, 17 Mar 2005 17:00:19 GMT https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331586#M96793 marcabal 2005-03-17T17:00:19Z https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331587#M96796 <HTML><HEAD></HEAD><BODY><P>Sweet! I guess I need to remember to state what version my instructions work with...</P><P></P><P>I happily stand corrected, at least where version 5.x is involved.</P><P></P><P>Alex Arndt</P></BODY></HTML> Sun, 20 Mar 2005 15:25:29 GMT https://community.cisco.com/t5/network-security/ids-4-1-event-filters/m-p/331587#M96796 a.arndt 2005-03-20T15:25:29Z