Re: Signature tuning and alert summaries

droberts29 · ‎07-10-2006

Some signatures, let's use 5769 (Malformed HTTP Request) as an example, perform event summarization. If I apply an event action filter to the signature to tune out FP's coming from a specific host, the individual events indeed go away, but the summary events still flood my logs.

I'm looking for some advice on good practice for eliminating both the individual events AND the summary events when I'm tuning these sigs with event summarization. Editing the signature itself is the only way I've found, which I don't really like. Any comments would be appreciated.

Thanks

leon.mflai · ‎08-03-2006

Hi, in our practice for IPS sensor case, we edit the signature itself to reduce the alert frequency. Following is one example. We tried in this way and so far false-positive alarms are reduced unless it is a out-break of the alerts.

SID: 12673: Recognized content type

Recommended Changes:

Event Count: 6000

Event Counter Key: Attacker Address

Specify Alert Interval: Yes/60 seconds

mhellman · ‎08-03-2006

I've seen this question asked numerous times and don't recall ever seeing a good answer from a Cisco representative. Can someone from Cisco provide some input? Is there an existing bugid?

john.stephens · ‎11-07-2006

I'm still looking for any answer to this same question. This behavior doesn't seem correct since the sig event action filter is processes to subtract the event before the summary event filter. Does anyone know if this is a bug or if Cisco has responded on this topic? I couldn't find anything.

droberts29 · ‎11-17-2006

I ended up talking with TAC about this.. turns out that since the event summarizer produces alerts for multiple hosts, the attacker (or victim) is listed as 0.0.0.0. If the filter is not set to eliminate events from ANY ip address, then it will let those summaries through as well. This is a design flaw in my estimation.. Cisco seems to realize this is a limitation, but no fix is available.