Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
3
Replies

Configuration>Sensing Engine>Data Sources

seba
Level 1
Level 1

‎01-15-2003 03:16 AM - edited ‎03-09-2019 01:41 AM

What's the purpose of this feature?

I would like to know the way to limit the ip address that may trigger an alarm. My IDS is scanning a network where there are a lot of hosts and I only want to detect certain attacks (let's say those ones belonging to 192.168.1.0/24 but not 192.168.2.0/24)

Labels:
0 Helpful
3 Replies 3

pbaussmann
Level 1
Level 1

‎01-15-2003 04:04 PM

From what you've written I'm guessing you want to use: Configuration>Sensing Engine>Filtered Signatures

As an example you could enter in the destination of 192.168.1.0/24 and put in asterisks for every other field (source, sig, sub-sig).

Is this what you're after?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to pbaussmann

‎01-15-2003 05:05 PM

Just so you know the Data Sources, are the ip addresses of Cisco Routers that are sending syslog messages to the sensor. The sensor can then generate alarms from the syslog messages when ACL denials ocurr. The alarm generated is the 10000 Policy Violation alarm.

Most users do not use this feature, and it will not help in what you are trying to accomplish. The method described by seba is the method to use.

0 Helpful

seba
Level 1
Level 1
In response to pbaussmann

‎01-15-2003 11:28 PM

That's right

Thank you very much

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents