Tuning signature

Answered Question
Mar 28th, 2008
User Badges:

Can someone help on how I can tune signature 2000 and 2004 to allow my monitoring PC to send ICMP to the target IP addresses. Whenever I enable these signatures my monitoring screen goes red.


Help fast pls.

Hi,


Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.


I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.


Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.


I really hope this assists.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer

Hi,


Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.


I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.


Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.


I really hope this assists.

ayolawrence Sat, 03/29/2008 - 18:02
User Badges:

I have been able to solve the problem with your simple explanation.


I am really grateful.


Thanx man.

Actions

This Discussion