Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
3
Replies

Filtering Summary Events?

cgiulini
Level 1
Level 1

‎09-10-2007 07:07 AM - edited ‎03-10-2019 03:47 AM

Does anyone know if it is possible to create an event action filter (IPS v5.1.5) that will also suppress summary events? I have a few signatures that I'm filtering, but still regularly see a ridiculously high number of summary events being reported.

If it helps, these tend to be for lower severity traffic that we expect to see to/from certain hosts on our network, but we want to alert on if the traffic starts appearing to/from unexpected hosts.

Thanks,

Chad

Labels:
0 Helpful
3 Replies 3

aghaznavi
Level 5
Level 5

‎09-14-2007 12:35 PM

Complete these steps in order to add, edit, delete, enable, disable, and move event action filters:

Log in to IDM with an account that has administrator or operator privileges.

Choose Configuration > Policies > Event Action Rules > rules0 > Event Action Filters if the software version is 6.x. For the software version 5.x, choose Configuration > Event Action Rules > Event Action Filters.

0 Helpful

mhellman
Level 7
Level 7

‎09-19-2007 09:51 AM

Look closely at the summary alarms, in particular the source and destination IP addresses....they are often different than the original alarms that you built the filter on. In particular, the victim address is often 0.0.0.0. You'll need to modify the filter (or create a new one) to deal with the specifics of the actual summary alarms.

I'm on V6, but I recall the same behavior in V5.

0 Helpful

andy.deakin
Level 1
Level 1
In response to mhellman

‎09-24-2007 07:41 AM

This is info that I have been given in the past, via this forum. It outlines a particluar methodology for tuning a given signature.

0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial

alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a

count of how often the source address triggered an event. Since the target could be different in the summary, it display it

as 0.0.0.0.

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a

target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary

intervals)

However, in practice, we see summary alerts firing, in accompanyment to initial alerts, where the attacker (source) is the same. Typically, these can be closed, but if they fire in large numbers or in isolation, then you need to do some tweaking?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card