Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
Is there a way to filter an IP or subnet from a IDS/IPS signature?
We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
any help is greatly appreciated.
You will need to use an event action filter. See (for version 6):