Solved: tuning 3883 by attacker IP

slug420 · ‎09-06-2006

how can I tune sig 3883 by attacker IP? Our VMS server is triggering this alert when it hits cisco (probably for sig updates) so i want to tune the sig so it ignores alerts from the VMS server.

i dont see an option under "tune" for that signature for the attacker or victim IPs.

mhellman · ‎09-06-2006

event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.

as far as lowering the severity...the only way to do that is by modifying the specific signature.

View solution in original post

mhellman · ‎09-06-2006

You don't need tune the signature, you need to create an event action filter.

slug420 · ‎09-06-2006

i was looking in that area but did not see a way that the event action filter could generate no event, or an event of a lower severity level than was set on the signature itself. All that looked to let me do was tell it was action to take, IE shun, block, reset, alarm, etc.

i want it to do nothing if it is an attacker ip of x.x.x.x or s.s.s.s

mhellman · ‎09-06-2006

event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.

as far as lowering the severity...the only way to do that is by modifying the specific signature.