Filtering IPs on a IDS/IPS signature

Answered Question
May 16th, 2008

Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.

Is there a way to filter an IP or subnet from a IDS/IPS signature?

Senario:

We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.

any help is greatly appreciated.

e-

I have this problem too.
0 votes
Correct Answer by mhellman about 8 years 6 months ago

You will need to use an event action filter. See (for version 6):

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Eric Hansen Fri, 05/16/2008 - 09:53

This seems more complicated then I originally thought, I think I need to spend some time reading. This leads me in the right direction. Thanks.

e-

mhellman Fri, 05/16/2008 - 10:01

It's not really too bad. I would encourage you to read still though;-)

Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.

event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

Eric Hansen Fri, 05/16/2008 - 10:10

Thanks. :)

I'm good with homework, a little reading doesnt deter me.

e-

Actions

This Discussion