Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
1
Replies

event filter to ignore all 'same-type' attacks

subaa
Level 1
Level 1

‎09-20-2005 07:16 AM - edited ‎03-10-2019 01:38 AM

Hi,

As per CCO:

Timesaver For example, if you have an IP address space that applies to your engineering group and there are no Windows systems in that group, and you are not worried about any Windows-based attacks to that group, you could set up a variable to be the engineering group's IP address space. You could then use this variable to configure a filter that would ignore all Windows-based attacks for this group.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1036415

My question is how to create this "all Win-based attacks" definition?

Under the signature configuration there is a choise to select all OS (including windows) specific sigantures, but under the event filter configuration the only way I have found is to create an Event Action Filter, and include all the windows specific signature one-by-one...

The problems are:

its ridiculous

hard to update

I don't know how cpu sensitive it is...

If any of you have a better solution - please share it! Thank you for any comments!

A_a

Labels:
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎09-26-2005 10:43 AM

The resolution may be achieved with the following procedures.

ME > Admin > Device Views > Add Dynamic Views.

Enter a View Name and Description. and clicked on user filter there under the description column.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card