02-14-2009 02:17 AM
Hi, I know that to have selective events from devices, the logging level can be played with ON the reporting devies themselves, however, in case of IPS, i want to send only events for particular signatures matching, can it be done on IPS, or do i need to enable/disable rules in MARS?
02-15-2009 02:12 AM
Hi,
Stopping events from being fired on the IPS is better, MARS will not have to process the unwanted events.
You have to select the signatures that you want to fire go to edit actions and check the produce alert field. Uncheck this field on the undesired signatures.
Or you can create a Drop rule in MARS in wich you select the undesired events from the IPS.
Stelian
02-15-2009 02:16 AM
Well you could either disable those rules in MARS (pretty tiresome), or subtract the 'produce alert' action using 'event action filters' in IPS.
Or you could select all signatures in the IPS GUI, right click to modify actions, remove the produce alert action at once from all of them. Then add 'Produce Alert' for the desired signatures only.
Regards
Farrukh
02-16-2009 08:30 AM
This is correct, but I'm curious as to why the original poster wants to disable visibility into security issues on their network with the exception of certain signatures.
It would be far better to properly tune out any remaining false positives and allow the IPS to do what it was designed to do.
An example would be to tune signature 3030 to fire on a count of 3 instead of 1.
Raymond
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide