Creating Event Action Filters

Unanswered Question
Mar 21st, 2007
User Badges:

Does anyone have a reference for understanding how to create Event Action Filters? I had a filter in place to remove the false positives created by my Proxy servers and the rule has disappeared. I still have the $HTTP_PROXY variable just no rule.


I created a filter to subtract the Produce Alert Action from the 3030 Signature ID matching the $HTTP_PROXY attacker address and keeping the generic victim address". It seems to be working but I am not sure if that is the correct way.


I have also been given recommendations that this is not correct and should use one of the following...


This is my test filter I created without the stop on match checked

service event-action-rules rules0

variables HTTP_Proxy address 172.16.4.72,206.197.1.3

overrides produce-alert

override-item-status Enabled

risk-rating-range 0-100

exit

filters edit TcpSynSweep

signature-id-range 3030

attacker-address-range $HTTP_Proxy

victim-address-range 1.1.1.1

actions-to-remove produce-alert

exit

filters move TcpSynSweep begin

exit


This is the test filter with the stop on match checked

service event-action-rules rules0

variables HTTP_Proxy address 172.16.4.72,206.197.1.3

overrides produce-alert

override-item-status Enabled

risk-rating-range 0-100

exit

filters edit TcpSynSweep

signature-id-range 3030

attacker-address-range $HTTP_Proxy

victim-address-range 1.1.1.1

actions-to-remove produce-alert

stop-on-match True

user-comment Stop on Match

exit

filters move TcpSynSweep begin

exit



I am trying to get the sensor completely tuned and installed. Other than updates it had only the one rule. Figured this would be a good place to start.


Brent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bberry Wed, 03/21/2007 - 08:12
User Badges:

Ok .. see I really do need a reference. If I am understanding everything right, What I did and what is recommended are the same thing other than the recommendation is using specific victim addresses.


I understand that every network is different and there will probably not be a definate list but what about the type of thinks to look for when tuning a new sensor?


Brent

RichardSW Thu, 03/22/2007 - 07:57
User Badges:
  • Bronze, 100 points or more

Creating Event Action Filters:


http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7a.html


When you added the Filter, did you click Apply and log off gracefully? Are you using VMS with IPS Management - could a lack of syncing VMS with your sensor have caused an overwrite? It might have deleted if your syntax was wrong.


I recommend you remove the public/private IP addresses of your proxy server from your original post - you've just identified a key component of your security infrastructure.


You want stop on match checked if you don't want any more precise filters to override your first filter. Your victim address range should be 0.0.0.0-255.255.255.255.


Create your rule using the GUI - save - then go back to the CLI and copy the text version. You can then use that as a template for future rules. I personally prefer the GUI for something as complex as that.


bberry Thu, 03/22/2007 - 08:13
User Badges:

I created the original filter via the GUI but I guess was just a little impatient in waiting for it to fire. While I was waiting I went ahead and pasted the recommended filter onto the CLI and did the apply but I had to reload the sensor to get it to appear in the list. That is when I noticed that both my original and the recommended solutions were basically the same.


I am not using the VMS as I only have one sensor. Am I loosing somethig by not using it?


I do like the GUI interface better than the CLI as it makes adding and changing things easier. Now I just need to learn and understand everything that is in the event log.


I thought about pulling the IP addresses but message was already permanent when I cam back to change.


Thanks

Actions

This Discussion