Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

filtering the sweep signatures

pszczola1
Level 1
Level 1

‎12-06-2008 09:16 AM - edited ‎03-10-2019 04:24 AM

Hello,

I'm wondering if somebody is using the filters to get get rid of the logging for the antivirus updates. Usually the antivirus updates cause the signature 2100 to fire.

IPS configuration guide says:

When filtering sweep signatures we recommend, that you do not use the destination address. If they are several destination addresses, only the last address is used for matching the filter.

I'm kind of learning IPS by trial and error in the test environment. Maybe somebody can share the experience from the real production environment.

thanks

Labels:
0 Helpful
3 Replies 3

ivillegas
Level 6
Level 6

‎12-11-2008 02:30 PM

You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. For the procedure on how to configure event action variables, see the Adding, Editing, and Deleting Event Action Variables section in the below URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml#event

0 Helpful

pszczola1
Level 1
Level 1
In response to ivillegas

‎12-12-2008 06:44 PM

Thanks, but it looks like it doesn't work for signature 2100

LAN workstation are trying to go the different addresses on the internet let's say for the avast update. I can not have a variable set up by the dns name only by IP.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to pszczola1

‎12-13-2008 05:54 AM

The configuration guide reads that event action filters cannot be used for sweep signatures, but I've configured them on production IDSM-2s without any issues at all. You can also use the source/destination fields in the signature itself.

However you cannot use hostnames (and let the IPS resolve IPs for you). You have to use IPs. If the hostname maps to multiple IPs, you have to list all of them (using commas).

Just make sure you put RANGES in the event action filter and not individual IPs. e.g.

10.4.4.4-10.4.4.4, 13.13.13.1-13.13.13.255

You can also keep the destination IP address field as a wilrdcard (default).

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card