cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
3
Helpful
5
Replies

Filtering IPs on a IDS/IPS signature

Eric Hansen
Level 1
Level 1

Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.

Is there a way to filter an IP or subnet from a IDS/IPS signature?

Senario:

We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.

any help is greatly appreciated.

e-

1 Accepted Solution

Accepted Solutions
5 Replies 5

mhellman
Level 7
Level 7

You will need to use an event action filter. See (for version 6):

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html

This seems more complicated then I originally thought, I think I need to spend some time reading. This leads me in the right direction. Thanks.

e-

It's not really too bad. I would encourage you to read still though;-)

Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.

event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

Here's the attachment.

Thanks. :)

I'm good with homework, a little reading doesnt deter me.

e-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: