Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
2
Replies

filtering alerts

slug420
Level 1
Level 1

‎04-29-2005 06:17 AM - edited ‎03-10-2019 01:25 AM

I have recently installed 2 scanning machines on my network and am wondering what the best approach would be for ignoring the IDS alarms that they set off.

I am using VMS to view events from a number of sensors, it is set to view 50k events by default, when I go much higher than that my box craaawls, and with all the TCP SYN Host Sweep and TCP Syn Port Sweep alerts being generated by my 2 scanning boxes my 50k alerts are only covering a short timeframe.

The scanning machines are running windows 2003 with sql server on one of them so I dont want to eliminate alerts from them altogether but if I could somehow get rid of this enormous amount of noise that would be best.

So should I be tuning the alert on the sensor itself to exclude sig X and Y for attacker IPs of A and B? or can I build a filter in VMS so that when I view alerts it filters out any alerts from those IPs?

Labels:
0 Helpful
2 Replies 2

a.arndt
Level 3
Level 3

‎05-06-2005 06:45 AM

Good questions. This is another great example of "What's the best practice?" that I think we, as a community should better address.

Anyway, since you want to continue to protect the hosts you use to perform network scans, while at the same time filtering out the IDS alerts they generate while performing their assigned tasks, I'd like to suggest some event filters.

I'm going to assume you know how to build event filters, so I'll skip over the instructional elements and get right to the suggestions.

I suggest you start by identifying exactly which SigIDs are being generated by a typical scan (for example, 2100, 3002 and 3030 - which are ICMP netsweep w/ echo, TCP Syn Port sweep and TCP Syn Host sweep respectively. They are common occurrences when network scanners are at work). Take this list of SigIDs and combine it with the two IP addresses as sources to make a filter.

Quick tip - you can put all the SigIDs into one filter by separating them with commas (no spaces). This way, a single event filter can deal with multiple SigIDs for the two IP addresses.

IMHO, it's always better to squelch known false positive/accepted traffic at the sensors, vice filtering it out at the Monitoring Console. Essentially, this improves the value of your collected IDS alarms by not introducing unwanted data to your SecMon (or SIMS), which typicaly employs a backend DB. Less records in the DB means more efficient searches and reports can be generated from it.

I hope this helps,

Alex Arndt

0 Helpful

jlwomeld
Level 1
Level 1
In response to a.arndt

‎06-10-2005 11:34 AM

I set a filter to exclude sig 3337-3338 here is the filter

AD Server Exclude 3337-3338 All Subsignatures Any 144.99.12.0/255.255.254.0

but I am still getting events in the security monitor do I have to set a event rule for this? or do I need an include in the IDS MC filter ?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card