05-16-2008 08:16 AM - edited 03-10-2019 04:06 AM
Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
Is there a way to filter an IP or subnet from a IDS/IPS signature?
Senario:
We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
any help is greatly appreciated.
e-
Solved! Go to Solution.
05-16-2008 09:48 AM
You will need to use an event action filter. See (for version 6):
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html
05-16-2008 09:48 AM
You will need to use an event action filter. See (for version 6):
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html
05-16-2008 09:53 AM
This seems more complicated then I originally thought, I think I need to spend some time reading. This leads me in the right direction. Thanks.
e-
05-16-2008 10:01 AM
It's not really too bad. I would encourage you to read still though;-)
Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.
event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.
05-16-2008 10:03 AM
05-16-2008 10:10 AM
Thanks. :)
I'm good with homework, a little reading doesnt deter me.
e-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: