12-14-2007 02:17 PM - edited 03-10-2019 03:54 AM
If the conditions match two signatures, do they both get triggered or only the first one?
Thanks
Solved! Go to Solution.
12-17-2007 11:31 AM
You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.
12-15-2007 02:10 AM
12-17-2007 05:08 AM
In CISCO IPS, can we wrtie a 'pass' rule to ignore good traffic and prevent it from trigger other signatures that cannot be turned off?
Thanks
12-17-2007 06:53 AM
you should be able to use an event action filter for this purpose. You can create a filter and put it at the top and set it to "stop on match". You can match on signature, ip address, port, and risk.
12-17-2007 11:20 AM
Thanks for your responding.
Yes, looks like the CISCO wizard only allows to filter based on signature ID, ip, port, and risk. Is it poosible to filter on other fields in the header or payload?
12-17-2007 11:31 AM
You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.
12-17-2007 11:34 AM
Also, don't forget, when you do the custom event and enable "stop on match" you also MUST SELECT the actions you do NOT want to happen! A lot of people miss that step.
-brad
(please rate the post if this helps!)
12-17-2007 11:24 AM
Thanks Brad. Regarding the "both triggered", would there be any CISCO document I can refer to?
12-18-2007 07:59 AM
I'll confirm Brad's post. We will trigger all alerts whose conditions are met by a packet or stream. We do not "fire first and forget"...that is a recipe for evasion.
You should be aware that in a stream signature, what has come before affects what happens in the present. We are analyzing the "stream"...not just the "packet". I mention this so that you can be aware that just because a particular condition exists in a packet, a signature may not fire because of something that was present (or not present) in a previous packet.
Scott C.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide