signature triggering

Answered Question
Dec 14th, 2007
User Badges:

If the conditions match two signatures, do they both get triggered or only the first one?


Thanks

Correct Answer by mhellman about 9 years 6 months ago

You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
mai2mai2m Mon, 12/17/2007 - 05:08
User Badges:

In CISCO IPS, can we wrtie a 'pass' rule to ignore good traffic and prevent it from trigger other signatures that cannot be turned off?


Thanks

mhellman Mon, 12/17/2007 - 06:53
User Badges:
  • Blue, 1500 points or more

you should be able to use an event action filter for this purpose. You can create a filter and put it at the top and set it to "stop on match". You can match on signature, ip address, port, and risk.

mai2mai2m Mon, 12/17/2007 - 11:20
User Badges:

Thanks for your responding.


Yes, looks like the CISCO wizard only allows to filter based on signature ID, ip, port, and risk. Is it poosible to filter on other fields in the header or payload?

Correct Answer
mhellman Mon, 12/17/2007 - 11:31
User Badges:
  • Blue, 1500 points or more

You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.

ccbootcamp Mon, 12/17/2007 - 11:34
User Badges:
  • Gold, 750 points or more

Also, don't forget, when you do the custom event and enable "stop on match" you also MUST SELECT the actions you do NOT want to happen! A lot of people miss that step.


-brad

www.ccbootcamp.com

(please rate the post if this helps!)


mai2mai2m Mon, 12/17/2007 - 11:24
User Badges:

Thanks Brad. Regarding the "both triggered", would there be any CISCO document I can refer to?

scothrel Tue, 12/18/2007 - 07:59
User Badges:
  • Cisco Employee,

I'll confirm Brad's post. We will trigger all alerts whose conditions are met by a packet or stream. We do not "fire first and forget"...that is a recipe for evasion.


You should be aware that in a stream signature, what has come before affects what happens in the present. We are analyzing the "stream"...not just the "packet". I mention this so that you can be aware that just because a particular condition exists in a packet, a signature may not fire because of something that was present (or not present) in a previous packet.


Scott C.

Actions

This Discussion