Filtering only high alerts

Answered Question
Jun 11th, 2008
User Badges:

I have a range of IP's that I never want to see any high priority alerts, but need to see any other alerts. How would I do that?

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Farrukh Haroon Wed, 06/11/2008 - 13:16
User Badges:
  • Red, 2250 points or more

The best way to control this would be to filter those hosts based on the Risk Rating, using 'Event Action Filters' you can subtract actions from alerts. So for these hosts you could subtract the 'Product Alert' action based on a specific Risk Rating value.


Have a look at:


http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html#wp1034361


Regards


Farrukh

5creedus Wed, 06/11/2008 - 15:41
User Badges:

thanks, more detailed information on the risk ratings?

Actions

This Discussion