IPS - Event Action Filters. Which alerts do you supress

Unanswered Question
Mar 4th, 2008
User Badges:

Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.

The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.

For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.

Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
marcabal Tue, 03/04/2008 - 14:17
User Badges:
  • Cisco Employee,

packet logging is more cpu and memory intensive on the sensor than just alerting.

So packet logging should be limited to only those most severe alerts where you need additional informational.

With that in mind, in you don't even want to see the alert, then you will not want to waste sensor resources trying to log those packets.

mhellman Tue, 03/04/2008 - 16:03
User Badges:
  • Blue, 1500 points or more

I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...

Think about how many places you'd have to make a change in order to effectively tune out what your after.

Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.

AdnanShahid Fri, 03/28/2008 - 12:37
User Badges:

Hi Matt,

Hope fine and well.

I just want to know how can a filter one of my alerts from my VMS Report and also from my IEV for a specific LAN_Block.

I am having some false Alarms from a block of network towards couple of my Enterprise servers and I want to elemenate those alarms from my report.

It would be nice if u can tell me how can I filter those Alarms. Thanks in advance.



mhellman Mon, 03/31/2008 - 05:49
User Badges:
  • Blue, 1500 points or more

If you want to prevent the alarms from creating an alert for a given source and/or destination, your best bet is to create an event action filter, which is done directly on the sensor. event action filters allow you to remove actions from a signature. So in this case, you will remove the 'produce alert" action. This link provides more details:


AdnanShahid Tue, 04/01/2008 - 12:21
User Badges:

Hi Matthew,

Thanks. U give me the right food - I was also thinking it that way to prevent the False Alarms. Appreciate ur help



ankurs2008 Wed, 04/02/2008 - 08:44
User Badges:

Hi All,

I have a query related to cisco IPS signature fine-tuning .Is it posible to

Disable the logging for a particular signature from one particular IP to another IP (in another zone)

Eg: the logging for signature triggering from internal(Inside) to internal (DMZ) server communication if considered to be legitimate can be disabled.

If yes , please letme know as to how to configure the same as i have not seen any option in IPS to disable the logging ?


Ankur Sachdev

rhermes Wed, 04/02/2008 - 10:30
User Badges:
  • Gold, 750 points or more


Mhellman provided a (highly rated) link earilier in this thread that should provide you with the answer to your question. If you turn on packet logging for a signature and then use the Event Action Filter to remove the "log" action when the source address is form your DMZ network (you can set that address by defineing a variable such as $DMZ if you want to use that address in other filters).


This Discussion