03-16-2005 10:38 AM - edited 03-10-2019 01:20 AM
How would I configure an event filter for SIGID 4003 so that the source IP of A.B.C.D when the source port is 53 to any destination IP any destination port is filtered so it is excluded.
03-16-2005 11:32 AM
I know how to do this using IDM. Here goes...
1) Access IDM via a browser (for example, https://
2) Use a username/password pair with administrative privileges
3) Left-click "Configuration" at the top of the page
4) Left-click "Sensing Engine" when it appears
5) Left-click "Event Filters" in the TOC menu when it appears
6) Left-click "Add" at the bottom of the page
7) In the "SIGID" field, put 4003 (or whatever signature you wish to build the exclusion for)
8) In the "SubSig" field, place a Sub-signature number if required. Otherwise, leave it as a "*"
9) Leave the "Exception" check box empty
10) In the "SrcAddrs" field, input the IP you wish to ignore (for example, A.B.C.D)
11) In the "DstAddrs" field, leave the default "*", since you don't care which destination is involved for this particular source IP
12) Left-click "Apply to Sensor"
13) Confirm the details are correct in the resulting page and then left-click "Save Changes" icon near the top right-hand corner of the page
14) Enjoy the silence...
BTW, you cannot filter a specific source host based on a specific source port. You'll have to choose to ignore all Nmap-like activity that may originate from your chosen source IP.
Assuming that this is in fact a DNS server however, this is an acceptable risk to assume, since you would likely see other signs of compromise besides outbound Nmap scans in the event that someone owns your DNS server.
I hope this helps,
Alex Arndt
03-16-2005 01:56 PM
Yes it does. I got the CLI commands working to do just as you outlined using IDM. I just was not sure if flitering on a specific source port is available. I'll configure the filter based on source IP as you stated.
03-17-2005 09:00 AM
Filtering on ports is added in version 5.0.
03-20-2005 07:25 AM
Sweet! I guess I need to remember to state what version my instructions work with...
I happily stand corrected, at least where version 5.x is involved.
Alex Arndt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide