10-28-2009 02:13 AM - edited 03-10-2019 04:48 AM
Hi,
We are running an IDSM-2 with 7.0(1)E3 and 2 virtual sensors.
I want to filter alarms from sig 2004 for a monitoring server.
When adding an event action filter, it still sends alarms. Bug?? Is there another way to filter the alarms for a specific host?
Regards
/Ola
10-28-2009 02:42 AM
Event action rules set is assigned to virtual sensor. If you have assigned event action rules set to one virtual sensor and another rules to another vs:
rules0 - vs0
rules1 - vs1
you must create filter on every rules set to substract some action on whole sensor.
10-28-2009 02:52 AM
Hi,
I tried to apply the same filter to both sensors, same result, I still get the alarms.
10-28-2009 03:08 AM
Sig 2004/0 ICMP Echo Request is disabled by default.
Did you activate the same action in signature action and substract action in the filter?
10-28-2009 03:32 AM
I enabled the signature in one sensor and want to filter alarms for one specific ip address.
10-28-2009 06:34 AM
OK, but, for example, if you activate action "produce verbose alert" in signature but check the action to substract "produce alert" or don't check any filters must not work.
Post the config fragments of signature and of filters here.
10-29-2009 12:56 AM
I removed produce alert on the signature.
Enabled it again and then reapplied the filter, and for some reason, it now works. Anyway, thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide