Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
8
Helpful
8
Replies

signature triggering

Go to solution
mai2mai2m
Level 1
Level 1

‎12-14-2007 02:17 PM - edited ‎03-10-2019 03:54 AM

If the conditions match two signatures, do they both get triggered or only the first one?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7
In response to mai2mai2m

‎12-17-2007 11:31 AM

You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
ccbootcamp
Level 7
Level 7

‎12-15-2007 02:10 AM

Yes, they both get triggered.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

Go to solution
mai2mai2m
Level 1
Level 1
In response to ccbootcamp

‎12-17-2007 05:08 AM

In CISCO IPS, can we wrtie a 'pass' rule to ignore good traffic and prevent it from trigger other signatures that cannot be turned off?

Thanks

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to mai2mai2m

‎12-17-2007 06:53 AM

you should be able to use an event action filter for this purpose. You can create a filter and put it at the top and set it to "stop on match". You can match on signature, ip address, port, and risk.

Go to solution
mai2mai2m
Level 1
Level 1
In response to mhellman

‎12-17-2007 11:20 AM

Thanks for your responding.

Yes, looks like the CISCO wizard only allows to filter based on signature ID, ip, port, and risk. Is it poosible to filter on other fields in the header or payload?

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to mai2mai2m

‎12-17-2007 11:31 AM

You can only filter on those things. You can however create a custom signature that matches on something in the payload and then create a filter that subtracts all actions and has a "stop on match". If the signature matches every packet, then this should work quite well (we do it in fact). If the signature matches only one packet of many [in a stream you want to guarantee no alarms for] I'm not sure that it will work.

0 Helpful

Go to solution
ccbootcamp
Level 7
Level 7
In response to mhellman

‎12-17-2007 11:34 AM

Also, don't forget, when you do the custom event and enable "stop on match" you also MUST SELECT the actions you do NOT want to happen! A lot of people miss that step.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

0 Helpful

Go to solution
mai2mai2m
Level 1
Level 1
In response to ccbootcamp

‎12-17-2007 11:24 AM

Thanks Brad. Regarding the "both triggered", would there be any CISCO document I can refer to?

0 Helpful

Go to solution
scothrel
Level 3
Level 3

‎12-18-2007 07:59 AM

I'll confirm Brad's post. We will trigger all alerts whose conditions are met by a packet or stream. We do not "fire first and forget"...that is a recipe for evasion.

You should be aware that in a stream signature, what has come before affects what happens in the present. We are analyzing the "stream"...not just the "packet". I mention this so that you can be aware that just because a particular condition exists in a packet, a signature may not fire because of something that was present (or not present) in a previous packet.

Scott C.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card