Filtering IPs on a IDS/IPS signature

Answered Question
May 16th, 2008
User Badges:

Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.

Is there a way to filter an IP or subnet from a IDS/IPS signature?


We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.

any help is greatly appreciated.


Correct Answer by mhellman about 9 years 1 month ago

You will need to use an event action filter. See (for version 6):

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Eric Hansen Fri, 05/16/2008 - 09:53
User Badges:

This seems more complicated then I originally thought, I think I need to spend some time reading. This leads me in the right direction. Thanks.


mhellman Fri, 05/16/2008 - 10:01
User Badges:
  • Blue, 1500 points or more

It's not really too bad. I would encourage you to read still though;-)

Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.

event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

Eric Hansen Fri, 05/16/2008 - 10:10
User Badges:

Thanks. :)

I'm good with homework, a little reading doesnt deter me.



This Discussion