Disabling a signature for some destinations only

vgodin · ‎07-25-2005

Hi, using ids 4.1, can somebody tells me how to disable a signature for some IP destination only?

Thanks.

gabelar · ‎08-09-2005

Im really not sure how to do it for 4.1 but for 5.0 there is an over ride in the management console. 5.0 has considerable enchancements over 4.1 mostly in the area of false positive reduction. It's definately a recommended dupgrade.

a.arndt · ‎08-10-2005

I don't run IPS v5.0 (yet), but I am still running IDS v4.1.

With v4.1, you can configure what is known as an "Event Filter" to do what you're looking for.

Let's say you want to exclude SigID 5337 for all your proxy servers. Here's how you'd build the Event Filter:

1) Login into IDM using an administrator privileged account and select the "Configuration" tab.

2) Select "Sensing Engine" in the sub-menu that appears.

3) Select "Event Filters" in the navigation menu that appears on the left-hand side.

4) Select "Add" at the bottom of the page.

5) Replace the "*" in the SigID field with the SigID you need to filter for. For my example, this would be 5337.

6) If only a specific SubSig is causing problems, input it's number in the SubSig field. Otherwise, leave the default "*".

7) Leave the "Exception" checkbox empty.

8) Since we only want to exclude our alarm for specific destination IP addresses, we'll leave the default "*" wildcard in the SrcAddrs field.

9) To exclude specific destination IP addresses, list them (separated by commas and no spaces) in the DstAddrs field.

10) Select "Apply to Sensor" and then select "Save Changes" on the screen that follows (it's the stacked paper-like icon at near the top right-hand side of the page).

Now you have an Event Filter that will exclude all alarms involving SigID 5337 to your list of destination IP addresses.

I hope this helps,

Alex Arndt