Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
2
Replies

Filters not working on CSPM

mjhagen
Level 1
Level 1

‎02-14-2002 08:56 AM - edited ‎03-10-2019 01:22 PM

I am using CSPM 2.3.3i to monitor my IDSM modules version 3.0(3)S10. I setup an advanced filter to block DNS signature (6053) from a single IP address to any. I save the policy and reload the database and the filter does not block the signature.

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎02-14-2002 11:53 AM

Have you also approved the new configuration. The filter is in a configuration file that has to be sent to the IDSM.

If you have approved then you can check the packetd.conf file on the IDSM to see if it was written to the IDSM configuration file.

To view packetd.conf:

1) Login to the IDSM cli

2) go into diag mode

3) execute the "report systemstatus" command

You will need to provide login information for an ftp server.

The report command will generate an html based report of config files, error files, etc. for the sensor and then ftp that html file to your ftp server.

Then you can download that html file from the ftp server to your personal desktop and open it with a web browser.

There should be a link in the table of contents for configuration files.

Find the packetd.conf file and look for a line similar to:

RecordOfExcludedPattern 6053 * ipaddress *

If the line is there, and the IDSM is still generating alarms then you may have found a new bug we didn't know about.

You will need to send this report file as well as the output of the "show event current" command from the diag mode which shows the 6053 alarm firing for that signature, to the TAC. They can then forward it to development for them to look at and try to replicate and create a DDTS Issue if necessary.

If the line is not there, then CSPM has not pushed the filter to the IDSM.

Revalidate your changes and push a new configuration.

If it still doesn't appear, then call the TAC. It could be an issue with CSPM itself.

Worst case workaround:

Instead of using the advanced filter window you can manually enter the RecordOfExcludedPatterm line into the Epilogue for the IDSM. This will add the line to the end of packetd.conf.

Of course, you will then Save and Update the database and Approve a new config to the IDSM.

Then use "report systemstatus" to verify that the config line made it into packetd.conf.

Please let me know what you find out.

0 Helpful

mjhagen
Level 1
Level 1
In response to marcabal

‎02-15-2002 08:26 AM

I checked the paketd.conf and the entries were not there. I had to send them to the IDSM 2 more times and then they were there. They are working now thanks

0 Helpful
Customers Also Viewed These Support Documents