03-20-2006 04:35 AM - edited 03-10-2019 01:56 AM
I am trying to understand how event or alert filters work in version 5.x. If I use VMS ipsmc to manage the sensors, how do you add a sensor filter for a particular event that we do not want to see appear in the SecMon console any more.
It looks like you have one of two options however i am not sure of the method to follow. you could edit the signature its self or it seems that you must use Configuration Settings > Event Actions (IPS 5.x) > SigEvent Action Filters
I would like to create a filter from any to a single address host IP address but when I select the add button, I only have the option to specify a range of addresses. Do I just enter the single address in the start field and then leave the finish field blank?
The filter should not alert or take any action. How do I exclude certain destination or source IPs from producing an alert?
03-22-2006 07:55 AM
We are still trying to get this filter to work. Can anybody give us an example of how it should look on the sensor?
The sensor filter that we would like to create should exclude any source IP, any source port to specific destination hosts on all destination ports (icmp has none) from capturing events and storing them in the event store on the sensor.
This is the filter that we have so far on the sensor. Whats the problem with it?
! ------------------------------
service event-action-rules rules0
filters edit icmp-w-echo-filter-sensor-sensor-0-D
signature-id-range 2100
subsignature-id-range 0-255
attacker-address-range 0.0.0.0-255.255.255.255
victim-address-range a.b.c.x,a.b.c.y
attacker-port-range 0-65535
victim-port-range 0-65535
risk-rating-range 0-100
no actions-to-remove
deny-attacker-percentage 100
filter-item-status Enabled
stop-on-match False
no user-comment
exit
filters move icmp-w-echo-filter-sensor-sensor-0-D begin
exit
03-22-2006 08:12 AM
I don't normally look at the config file via the CLI, but I suspect it has something to do with "no actions-to-remove". You should have some actions in there, at least "product-alert". Here is what shows up in a "sh conf" for one of my filters:
filters edit Q00013
signature-id-range 6508
attacker-port-range 53
actions-to-remove request-block-connection|request-block-host|deny-attacker-inline|deny-packet-inline|deny-connection-inline|log-attacker-packets|log-victim-packets|log-pair-packets|reset-tcp-connection|produce-alert|produce-verbose-alert|request-snmp-trap
user-comment sigs to ignore if src port = 53 (dns reply)
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide