02-14-2002 08:56 AM - edited 03-10-2019 01:22 PM
I am using CSPM 2.3.3i to monitor my IDSM modules version 3.0(3)S10. I setup an advanced filter to block DNS signature (6053) from a single IP address to any. I save the policy and reload the database and the filter does not block the signature.
02-14-2002 11:53 AM
Have you also approved the new configuration. The filter is in a configuration file that has to be sent to the IDSM.
If you have approved then you can check the packetd.conf file on the IDSM to see if it was written to the IDSM configuration file.
To view packetd.conf:
1) Login to the IDSM cli
2) go into diag mode
3) execute the "report systemstatus" command
You will need to provide login information for an ftp server.
The report command will generate an html based report of config files, error files, etc. for the sensor and then ftp that html file to your ftp server.
Then you can download that html file from the ftp server to your personal desktop and open it with a web browser.
There should be a link in the table of contents for configuration files.
Find the packetd.conf file and look for a line similar to:
RecordOfExcludedPattern 6053 * ipaddress *
If the line is there, and the IDSM is still generating alarms then you may have found a new bug we didn't know about.
You will need to send this report file as well as the output of the "show event current" command from the diag mode which shows the 6053 alarm firing for that signature, to the TAC. They can then forward it to development for them to look at and try to replicate and create a DDTS Issue if necessary.
If the line is not there, then CSPM has not pushed the filter to the IDSM.
Revalidate your changes and push a new configuration.
If it still doesn't appear, then call the TAC. It could be an issue with CSPM itself.
Worst case workaround:
Instead of using the advanced filter window you can manually enter the RecordOfExcludedPatterm line into the Epilogue for the IDSM. This will add the line to the end of packetd.conf.
Of course, you will then Save and Update the database and Approve a new config to the IDSM.
Then use "report systemstatus" to verify that the config line made it into packetd.conf.
Please let me know what you find out.
02-15-2002 08:26 AM
I checked the paketd.conf and the entries were not there. I had to send them to the IDSM 2 more times and then they were there. They are working now thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide