cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
528
Views
5
Helpful
4
Replies

IDS 4.1 event filters

5creedus
Level 1
Level 1

How would I configure an event filter for SIGID 4003 so that the source IP of A.B.C.D when the source port is 53 to any destination IP any destination port is filtered so it is excluded.

4 Replies 4

a.arndt
Level 3
Level 3

I know how to do this using IDM. Here goes...

1) Access IDM via a browser (for example, https://)

2) Use a username/password pair with administrative privileges

3) Left-click "Configuration" at the top of the page

4) Left-click "Sensing Engine" when it appears

5) Left-click "Event Filters" in the TOC menu when it appears

6) Left-click "Add" at the bottom of the page

7) In the "SIGID" field, put 4003 (or whatever signature you wish to build the exclusion for)

8) In the "SubSig" field, place a Sub-signature number if required. Otherwise, leave it as a "*"

9) Leave the "Exception" check box empty

10) In the "SrcAddrs" field, input the IP you wish to ignore (for example, A.B.C.D)

11) In the "DstAddrs" field, leave the default "*", since you don't care which destination is involved for this particular source IP

12) Left-click "Apply to Sensor"

13) Confirm the details are correct in the resulting page and then left-click "Save Changes" icon near the top right-hand corner of the page

14) Enjoy the silence...

BTW, you cannot filter a specific source host based on a specific source port. You'll have to choose to ignore all Nmap-like activity that may originate from your chosen source IP.

Assuming that this is in fact a DNS server however, this is an acceptable risk to assume, since you would likely see other signs of compromise besides outbound Nmap scans in the event that someone owns your DNS server.

I hope this helps,

Alex Arndt

Yes it does. I got the CLI commands working to do just as you outlined using IDM. I just was not sure if flitering on a specific source port is available. I'll configure the filter based on source IP as you stated.

Filtering on ports is added in version 5.0.

Sweet! I guess I need to remember to state what version my instructions work with...

I happily stand corrected, at least where version 5.x is involved.

Alex Arndt

Review Cisco Networking for a $25 gift card