Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
11
Replies

filter is not working in TOC of VMS 2.2

Go to solution
fengluo
Level 1
Level 1

‎06-15-2004 11:58 AM - edited ‎03-09-2019 07:45 AM

I created a filter rule in TOC to suppress some false positives on a ids sensor, the event still shows up, what else I have to check to resolve the problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dblairii
Level 1
Level 1
In response to fengluo

‎06-16-2004 07:10 AM

You can edit the filter on the sensor through CLI or IDM.

Connect to your sensor via its C&C interface with your browser at this address 'https://'

After you log in click on "Configuration" -> "Sensing Engine" -> "Event Filters".

This should bring up a current list of your filters. From this location you can Edit or Add a filter.

Hope that helps.

Don

View solution in original post

0 Helpful
11 Replies 11

Go to solution
dblairii
Level 1
Level 1

‎06-15-2004 12:27 PM

I may be stating the obvious here, but you need to compare the packet(s) that triggered the event with the filter rules that you created to exclude it. (Without details of the custom filter and the signature it is hard to tell)

0 Helpful

Go to solution
fengluo
Level 1
Level 1
In response to dblairii

‎06-15-2004 01:22 PM

I am getting the event "eventId=1079416621888497871 hostId=******* appName=sensorApp appInstanceId=1104 tmOffset=60 tmTimeZone=EST tmTime=1087315812477 severity=5 alertDetails="Traffic Source: int0 ; " sigId=4003 sigName="Nmap UDP Port Sweep" version=S65 src=170.146.77.220 srcDir=IN srcport=53 dst=192.168.100.17 dstDir=IN dstport=2899"

Since 170.146.77.220 is a name server, the event is a false positive.

The filter looks like this,

Filter Name Action Signatures Subsignatures Sources Destinations

filter4 Exclude 4003 All Subsignatures 170.146.77.220 Any

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10
In response to fengluo

‎06-15-2004 11:24 PM

Hi,

my understanding is you should not use Exclude for the filter definition.

Exclude means a filter exception, i.e. alarms which are NOT filtered out.

Regards,

Milan

0 Helpful

Go to solution
fengluo
Level 1
Level 1
In response to milan.kulik

‎06-16-2004 06:24 AM

The other option there is Include. I tried both, did not work.

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10
In response to fengluo

‎06-16-2004 06:37 AM

Include should work.

Are you sure you downloaded the filter successfully to the sensor?

Try to use

sh config | incl Filter

CLI command.

It should show you the filters configured on the sensor.

Regards,

Milan

0 Helpful

Go to solution
fengluo
Level 1
Level 1
In response to milan.kulik

‎06-16-2004 07:02 AM

I cannot see the filter on the sensor, what should I do? How can I edit the filter on the sensor?

0 Helpful

Go to solution
dblairii
Level 1
Level 1
In response to fengluo

‎06-16-2004 07:10 AM

You can edit the filter on the sensor through CLI or IDM.

Connect to your sensor via its C&C interface with your browser at this address 'https://'

After you log in click on "Configuration" -> "Sensing Engine" -> "Event Filters".

This should bring up a current list of your filters. From this location you can Edit or Add a filter.

Hope that helps.

Don

0 Helpful

Go to solution
fengluo
Level 1
Level 1
In response to dblairii

‎06-16-2004 07:28 AM

My VMS cannot push the filter down to the sensor, is this a known issue with version 2.2?

0 Helpful

Go to solution
dblairii
Level 1
Level 1
In response to fengluo

‎06-16-2004 08:34 AM

Honestly, I have little faith in VMS. I only use VMS to push signature updates to my sensors.

Any configuration changes that are necessary I utilize IDM or CLI on each sensor individually (50+). It isn't the sexiest way to manage config changes, but it is reliable and predictable.

I just had an issue with trying to view existing sensor filters through VMS and discovered from TAC that if you use variables in your filter definitions that you can't use VMS.

I have requisitioned (on order) ActiveStates' TCL/Expect Dev kit to start creating my own sensor management tools out of necessity. I will eventually post information about how that all is working for me.

0 Helpful

Go to solution
fengluo
Level 1
Level 1
In response to dblairii

‎06-15-2004 01:24 PM

I am getting the event "eventId=1079416621888497871 hostId=******* appName=sensorApp appInstanceId=1104 tmOffset=60 tmTimeZone=EST tmTime=1087315812477 severity=5 alertDetails="Traffic Source: int0 ; " sigId=4003 sigName="Nmap UDP Port Sweep" version=S65 src=170.146.77.220 srcDir=IN srcport=53 dst=192.168.100.17 dstDir=IN dstport=2899"

Since 170.146.77.220 is a name server, the event is a false positive.

The filter looks like this,

Filter Name Action Signatures Subsignatures Sources Destinations

filter4 Exclude 4003 All Subsignatures 170.146.77.220 Any

0 Helpful

Go to solution
dblairii
Level 1
Level 1
In response to fengluo

‎06-16-2004 06:15 AM

To add to what Milan said....

A filter that is set WITHOUT the 'Exclude' option enabled is designed to REMOVE (filter out) events.

When you set a filter with 'Exclude' ENABLED, it is generally set in conjuction with a 'non-excluded' filter.

In other words you could say I want to filter out all of the following 'a-z'.... and then with an exclude statement.... BUT, I don't want to filter 'x'.

You have essentially included what you wanted to remove by setting your filter with 'Exclude' enabled.

0 Helpful
Customers Also Viewed These Support Documents