Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
2
Replies

how to add a alert filter in ipsmc for version 5 signatures

darin.marais
Level 4
Level 4

‎03-20-2006 04:35 AM - edited ‎03-10-2019 01:56 AM

I am trying to understand how event or alert filters work in version 5.x. If I use VMS ipsmc to manage the sensors, how do you add a sensor filter for a particular event that we do not want to see appear in the SecMon console any more.

It looks like you have one of two options however i am not sure of the method to follow. you could edit the signature its self or it seems that you must use “Configuration Settings > Event Actions (IPS 5.x) > SigEvent Action Filters”

I would like to create a filter from any to a single address host IP address but when I select the add button, I only have the option to specify a range of addresses. Do I just enter the single address in the start field and then leave the finish field blank?

The filter should “not alert” or “take any action”. How do I exclude certain destination or source IPs from producing an alert?

Labels:
0 Helpful
2 Replies 2

darin.marais
Level 4
Level 4

‎03-22-2006 07:55 AM

We are still trying to get this filter to work. Can anybody give us an example of how it should look on the sensor?

The sensor filter that we would like to create should “exclude” any source IP, any source port to specific destination hosts on all destination ports (icmp has none) from capturing events and storing them in the event store on the sensor.

This is the filter that we have so far on the sensor. What’s the problem with it?

! ------------------------------

service event-action-rules rules0

filters edit icmp-w-echo-filter-sensor-sensor-0-D

signature-id-range 2100

subsignature-id-range 0-255

attacker-address-range 0.0.0.0-255.255.255.255

victim-address-range a.b.c.x,a.b.c.y

attacker-port-range 0-65535

victim-port-range 0-65535

risk-rating-range 0-100

no actions-to-remove

deny-attacker-percentage 100

filter-item-status Enabled

stop-on-match False

no user-comment

exit

filters move icmp-w-echo-filter-sensor-sensor-0-D begin

exit

0 Helpful

mhellman
Level 7
Level 7
In response to darin.marais

‎03-22-2006 08:12 AM

I don't normally look at the config file via the CLI, but I suspect it has something to do with "no actions-to-remove". You should have some actions in there, at least "product-alert". Here is what shows up in a "sh conf" for one of my filters:

filters edit Q00013

signature-id-range 6508

attacker-port-range 53

actions-to-remove request-block-connection|request-block-host|deny-attacker-inline|deny-packet-inline|deny-connection-inline|log-attacker-packets|log-victim-packets|log-pair-packets|reset-tcp-connection|produce-alert|produce-verbose-alert|request-snmp-trap

user-comment sigs to ignore if src port = 53 (dns reply)

exit

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card