03-21-2007 07:11 AM - edited 03-10-2019 03:31 AM
Does anyone have a reference for understanding how to create Event Action Filters? I had a filter in place to remove the false positives created by my Proxy servers and the rule has disappeared. I still have the $HTTP_PROXY variable just no rule.
I created a filter to subtract the Produce Alert Action from the 3030 Signature ID matching the $HTTP_PROXY attacker address and keeping the generic victim address". It seems to be working but I am not sure if that is the correct way.
I have also been given recommendations that this is not correct and should use one of the following...
This is my test filter I created without the stop on match checked
service event-action-rules rules0
variables HTTP_Proxy address 172.16.4.72,206.197.1.3
overrides produce-alert
override-item-status Enabled
risk-rating-range 0-100
exit
filters edit TcpSynSweep
signature-id-range 3030
attacker-address-range $HTTP_Proxy
victim-address-range 1.1.1.1
actions-to-remove produce-alert
exit
filters move TcpSynSweep begin
exit
This is the test filter with the stop on match checked
service event-action-rules rules0
variables HTTP_Proxy address 172.16.4.72,206.197.1.3
overrides produce-alert
override-item-status Enabled
risk-rating-range 0-100
exit
filters edit TcpSynSweep
signature-id-range 3030
attacker-address-range $HTTP_Proxy
victim-address-range 1.1.1.1
actions-to-remove produce-alert
stop-on-match True
user-comment Stop on Match
exit
filters move TcpSynSweep begin
exit
I am trying to get the sensor completely tuned and installed. Other than updates it had only the one rule. Figured this would be a good place to start.
Brent
03-21-2007 08:12 AM
Ok .. see I really do need a reference. If I am understanding everything right, What I did and what is recommended are the same thing other than the recommendation is using specific victim addresses.
I understand that every network is different and there will probably not be a definate list but what about the type of thinks to look for when tuning a new sensor?
Brent
03-22-2007 07:57 AM
Creating Event Action Filters:
When you added the Filter, did you click Apply and log off gracefully? Are you using VMS with IPS Management - could a lack of syncing VMS with your sensor have caused an overwrite? It might have deleted if your syntax was wrong.
I recommend you remove the public/private IP addresses of your proxy server from your original post - you've just identified a key component of your security infrastructure.
You want stop on match checked if you don't want any more precise filters to override your first filter. Your victim address range should be 0.0.0.0-255.255.255.255.
Create your rule using the GUI - save - then go back to the CLI and copy the text version. You can then use that as a template for future rules. I personally prefer the GUI for something as complex as that.
03-22-2007 08:13 AM
I created the original filter via the GUI but I guess was just a little impatient in waiting for it to fire. While I was waiting I went ahead and pasted the recommended filter onto the CLI and did the apply but I had to reload the sensor to get it to appear in the list. That is when I noticed that both my original and the recommended solutions were basically the same.
I am not using the VMS as I only have one sensor. Am I loosing somethig by not using it?
I do like the GUI interface better than the CLI as it makes adding and changing things easier. Now I just need to learn and understand everything that is in the event log.
I thought about pulling the IP addresses but message was already permanent when I cam back to change.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide