Filtering Summary Events?

Unanswered Question
Sep 10th, 2007

Does anyone know if it is possible to create an event action filter (IPS v5.1.5) that will also suppress summary events? I have a few signatures that I'm filtering, but still regularly see a ridiculously high number of summary events being reported.

If it helps, these tend to be for lower severity traffic that we expect to see to/from certain hosts on our network, but we want to alert on if the traffic starts appearing to/from unexpected hosts.

Thanks,

Chad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Fri, 09/14/2007 - 12:35

Complete these steps in order to add, edit, delete, enable, disable, and move event action filters:

Log in to IDM with an account that has administrator or operator privileges.

Choose Configuration > Policies > Event Action Rules > rules0 > Event Action Filters if the software version is 6.x. For the software version 5.x, choose Configuration > Event Action Rules > Event Action Filters.

mhellman Wed, 09/19/2007 - 09:51

Look closely at the summary alarms, in particular the source and destination IP addresses....they are often different than the original alarms that you built the filter on. In particular, the victim address is often 0.0.0.0. You'll need to modify the filter (or create a new one) to deal with the specifics of the actual summary alarms.

I'm on V6, but I recall the same behavior in V5.

This is info that I have been given in the past, via this forum. It outlines a particluar methodology for tuning a given signature.

0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial

alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a

count of how often the source address triggered an event. Since the target could be different in the summary, it display it

as 0.0.0.0.

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a

target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary

intervals)

However, in practice, we see summary alerts firing, in accompanyment to initial alerts, where the attacker (source) is the same. Typically, these can be closed, but if they fire in large numbers or in isolation, then you need to do some tweaking?

Actions

This Discussion