Defining IPS filters in CSM

Unanswered Question
Oct 4th, 2007

When you are defining filters in CSM, is it possible to use several IPs or ranges of IPs in the "Attackers" and "Victims" tab?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Fri, 10/05/2007 - 08:30

The sensor itself will accept several single IPs and IP ranges in a comma delimited list in it's event action filters.

For example:

10.10.1.1,10.10.1.3,10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255

I am fairly sure that CSM would also similarly support this ability for filling in those same fields for the sensor.

rhermes Mon, 10/15/2007 - 09:48

You can use ranges as Marcabal described above, or you can use variables. If you have IP address ranges that are used across multiple Event Action Filters you can assign them in CSM's "Policy Object Manager" Networks/Hosts (consider this a global variable). If you have the same Event Action Filters on multiple sensors with different IP address ranges, make the above "overwritable" and customize each sensor under CSM's "Device Properties" Networks/Hosts (this would be a similar to a local variable).

lcuchisanmillan Mon, 10/15/2007 - 23:49

We want to use several IPs as in the Marcabal's example but in the CSM appears "Invalid value". We have tried with different separators apart from a comma. It has no sense creating a variable for each filter we use.

Actions

This Discussion