cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2036
Views
0
Helpful
7
Replies

How to create email alerting for some networks but not others

evan.chadwick1
Level 1
Level 1

Hi, I have email alerting working but want to only receive emails for my Corporate Subnets and not my Free Wifi Subnets.

How can I achieve this?

7 Replies 7

evan.chadwick1
Level 1
Level 1

Also can you configure different HTTP responses based on different subnets behind a managed device?

Hi Evan,

After adding suppression, you have to commit the policy and then deploy it again.

For the HTTP response issue, unfortunately there is no such option of different http response

as this is a global setting under Policy->advanced.

Rate if it helps.

Thanks,

Ankita

I still don't feel that adding supression rules is the way forward. Especially since supression rules can not deal with objects. I'm wondering if this is a feature request. As correlation rules don't seem to handle objects either. 

The significance of this means that if I have a large amount of /22 sites to supress for I have to enter each one individually. Also rather than have to create supression rules for each ID that gets triggered, why not enable a feature to globally create Alert Ignores for?

Update:

A feature request has been raised. My workaround:

Turn off all email alerting, via Policy>Alerts

Then apply a correlation rule:

if "intrusion event takes place"

and source ip 'is not in' x.x.x.x/22 (network i want to protect and never hear about)

and source ip 'is not in' x.x.x.x/22 (network i want to protect and never hear about)

etc 

etc

I know the thread is a couple years old. I have the same need and wondering what is the best way to accomplish. If need be I can open a case with TAC. Thanks.

evan.chadwick1
Level 1
Level 1

An update to this. I"ve tried adding a supression rule in my IPS policy. I chose the ever so popular event id of 28039, which makes sourcefire generate an event when a person performs a dns request to a .pw domain. 

I added a supression rule source subnet of my Free Wifi. However I still receive email alerts when an ip in this range browses to a .pw domain.

<update: I had not deployed the policy, once I did this the supression worked. Still in the hunt for a global solution rather than entering supression rules all the time, furthermore which can not take advantage of an Object group>

An update to this, I have a tac case raised. I've tried creating correlation rules to stop email alerting and this has not worked either. SHould hear back from Tac today who are labbing and testing also.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: