Re: How to ignore signature from specific source port ?

essam75 · ‎07-30-2003

Hi all ,

I have a problem here , I need to ignore a specific signature from specific network , I know how to do this , but I need to ignore it if coming from specific source port . Does anybody know to do this ?

Thanks for your help

essam75 · ‎07-30-2003

Sorry , I forgot to mention I have Cisco IDS 4230 version 3.1(3)S49 .

csthomas · ‎07-31-2003

x

essam75 · ‎08-03-2003

Hi all,

does anybody have solution to this ? or this can't be done on cisco IDS ?

Thanks

kentanu · ‎08-03-2003

Hi.

F.Y.I.

In packetd.conf, there's a section "# Excluded events" which

I think you can specify if you take that sig or not depending on

Source IP address/Network and Destination IP address/Network.

RecordOfExcludedAddress SigID SubSigID SrcIP/Network

RecordOfExcludedPattern SigID SubSigID SrcIP/Network DstIP/Network

And when you look into the Cisco online manual

http://www.cisco.com/en/US/products/sw/secursw/ps5052/prod_technical_reference09186a00800d9dd5.html#74373

There you can find "Included" also. such as below.

RecordOfIncludedAddress SigID SubSigID SrcIP

RecordOfIncludedPattern SigID SubSigID SrcIP DstIP

Appologize if you've already had this info.

Best Regards,

Kentanu

--

brecore · ‎10-29-2003

I have asked this same question. The answers I have received were that it cannot be done. I am running version 4.1. I was told by Cisco that this should be pushed through our sales team to get it implemented in future releases.

darin.marais · ‎10-30-2003

refer to the tread:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea2bfa