05-31-2007 03:40 AM - edited 03-10-2019 03:38 AM
Hi,
I am using an ASA-5510 with AIP-SSM, running 5.1 E1.
I am getting a lot of false positives from one internal relating to a TCP SYN Sweep.
I would like these not to be logged for this single host, but don't wish to globally disable or retire the signature.
Is this possible and if so, how?
Thanks in advance,
DAVE
05-31-2007 05:50 PM
This is configurable through:
Event Action Rules->Event Action Filters
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmevtrul.htm#wp1082564
-jonathan
06-01-2007 01:24 AM
Jonathan,
This is what I needed.
Thanks,
DAVE
06-06-2007 08:50 PM
Dave, if you want to avoid the false positives for a signature you can create an event action filter and there you can specify the desired host and you can tell which action to filter, in this case you can filter the produce alert. Please check this link:
I hope it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: