12-06-2008 09:16 AM - edited 03-10-2019 04:24 AM
Hello,
I'm wondering if somebody is using the filters to get get rid of the logging for the antivirus updates. Usually the antivirus updates cause the signature 2100 to fire.
IPS configuration guide says:
When filtering sweep signatures we recommend, that you do not use the destination address. If they are several destination addresses, only the last address is used for matching the filter.
I'm kind of learning IPS by trial and error in the test environment. Maybe somebody can share the experience from the real production environment.
thanks
12-11-2008 02:30 PM
You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. For the procedure on how to configure event action variables, see the Adding, Editing, and Deleting Event Action Variables section in the below URL:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml#event
12-12-2008 06:44 PM
Thanks, but it looks like it doesn't work for signature 2100
LAN workstation are trying to go the different addresses on the internet let's say for the avast update. I can not have a variable set up by the dns name only by IP.
12-13-2008 05:54 AM
The configuration guide reads that event action filters cannot be used for sweep signatures, but I've configured them on production IDSM-2s without any issues at all. You can also use the source/destination fields in the signature itself.
However you cannot use hostnames (and let the IPS resolve IPs for you). You have to use IPs. If the hostname maps to multiple IPs, you have to list all of them (using commas).
Just make sure you put RANGES in the event action filter and not individual IPs. e.g.
10.4.4.4-10.4.4.4, 13.13.13.1-13.13.13.255
You can also keep the destination IP address field as a wilrdcard (default).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide