Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
5
Helpful
4
Replies

IDS 4.1 event filters

5creedus
Level 1
Level 1

‎03-16-2005 10:38 AM - edited ‎03-10-2019 01:20 AM

How would I configure an event filter for SIGID 4003 so that the source IP of A.B.C.D when the source port is 53 to any destination IP any destination port is filtered so it is excluded.

Labels:
0 Helpful
4 Replies 4

a.arndt
Level 3
Level 3

‎03-16-2005 11:32 AM

I know how to do this using IDM. Here goes...

1) Access IDM via a browser (for example, https://)

2) Use a username/password pair with administrative privileges

3) Left-click "Configuration" at the top of the page

4) Left-click "Sensing Engine" when it appears

5) Left-click "Event Filters" in the TOC menu when it appears

6) Left-click "Add" at the bottom of the page

7) In the "SIGID" field, put 4003 (or whatever signature you wish to build the exclusion for)

8) In the "SubSig" field, place a Sub-signature number if required. Otherwise, leave it as a "*"

9) Leave the "Exception" check box empty

10) In the "SrcAddrs" field, input the IP you wish to ignore (for example, A.B.C.D)

11) In the "DstAddrs" field, leave the default "*", since you don't care which destination is involved for this particular source IP

12) Left-click "Apply to Sensor"

13) Confirm the details are correct in the resulting page and then left-click "Save Changes" icon near the top right-hand corner of the page

14) Enjoy the silence...

BTW, you cannot filter a specific source host based on a specific source port. You'll have to choose to ignore all Nmap-like activity that may originate from your chosen source IP.

Assuming that this is in fact a DNS server however, this is an acceptable risk to assume, since you would likely see other signs of compromise besides outbound Nmap scans in the event that someone owns your DNS server.

I hope this helps,

Alex Arndt

5creedus
Level 1
Level 1
In response to a.arndt

‎03-16-2005 01:56 PM

Yes it does. I got the CLI commands working to do just as you outlined using IDM. I just was not sure if flitering on a specific source port is available. I'll configure the filter based on source IP as you stated.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to 5creedus

‎03-17-2005 09:00 AM

Filtering on ports is added in version 5.0.

0 Helpful

a.arndt
Level 3
Level 3
In response to marcabal

‎03-20-2005 07:25 AM

Sweet! I guess I need to remember to state what version my instructions work with...

I happily stand corrected, at least where version 5.x is involved.

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card