Hi,
As per CCO:
Timesaver For example, if you have an IP address space that applies to your engineering group and there are no Windows systems in that group, and you are not worried about any Windows-based attacks to that group, you could set up a variable to be the engineering group's IP address space. You could then use this variable to configure a filter that would ignore all Windows-based attacks for this group.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1036415
My question is how to create this "all Win-based attacks" definition?
Under the signature configuration there is a choise to select all OS (including windows) specific sigantures, but under the event filter configuration the only way I have found is to create an Event Action Filter, and include all the windows specific signature one-by-one...
The problems are:
its ridiculous
hard to update
I don't know how cpu sensitive it is...
If any of you have a better solution - please share it! Thank you for any comments!
A_a