Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

Event Filters & Blocking

awagih
Level 1
Level 1

‎08-20-2005 05:15 AM - edited ‎03-10-2019 01:35 AM

Dear All,

In fine tunning the IDSM/IDS for false positive alarms, I have configured the

IDS/IDSM for "Event Filter" the false alarms and at the same time I

have conmfigured my IDS/IDSm fo shunning/Blocking various networking devices

(PIX/Routers/Cat65xx), my question is:

Does the "Event Filter" confiuration is affected,sbujected to, by the

Blocking configuration. in other words if I configured the IDS for

"exclude event filter" a specefic signature that fired by a specefic

network, say NETWORK_1, and at the same time tunned this signature actime to

shun or block, does the filterd network, NETWORK_1, will be shunned/blocked if

the signature is fired although I exclude this network from the Event Alarms?

I apprecaite your help and cooperation

Thanks and best Regards

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎08-22-2005 06:39 AM

This changes between 4.x and 5.x,

In 4.x if the alert is filtered, then the actions (like blocking and tcp reset) are also filtered.

NOTE: Be aware that in 4.x there are 2 types of filters. Exception True and Exception False. Exception False is the default and will prevent the signature from firing (and prevent the actions). But the exception True filter is an override, it overrides all the Exception False filters and forces the alert firing (and forces the actions).

In version 5.x each individual action can be filtered. So you can filter out produceAlert action and still allow the block actions to continue.

0 Helpful

awagih
Level 1
Level 1
In response to marcabal

‎08-22-2005 11:57 AM

Thank you Marcoa, for your response.

Marcoa, you said "In 4.x if the alert is filtered, then the actions (like blocking and tcp reset) are also filtered", does this applies for all filtered signature regardless if the filtring action is configured for a specefic host/network or not? In other words if I filtered specefic signature that triggered from specefic host/network, does the filter will apply to this signature regardless who triggered it?

Thanks and best Regards

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to awagih

‎08-22-2005 02:23 PM

If the alert is filtered by an Exception false filter (and not overridden by an Exception true) filter, then both the alert and the action together will be filtered/prevented.

To match a filter the alert has to match all of the matching criteria in the filter: (SigID, SubSigID, Src Address, Dest Address).

Only if all the criteria match the alert will the alert and it's associated actions be filtered.

If if any of the criteria does not match, then that filter line will be ignored for that specific alert.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card