filtering the sweep signatures

Unanswered Question
Dec 6th, 2008

Hello,

I'm wondering if somebody is using the filters to get get rid of the logging for the antivirus updates. Usually the antivirus updates cause the signature 2100 to fire.

IPS configuration guide says:

When filtering sweep signatures we recommend, that you do not use the destination address. If they are several destination addresses, only the last address is used for matching the filter.

I'm kind of learning IPS by trial and error in the test environment. Maybe somebody can share the experience from the real production environment.

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ivillegas Thu, 12/11/2008 - 14:30

You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. For the procedure on how to configure event action variables, see the Adding, Editing, and Deleting Event Action Variables section in the below URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml#event

pszczola1 Fri, 12/12/2008 - 18:44

Thanks, but it looks like it doesn't work for signature 2100

LAN workstation are trying to go the different addresses on the internet let's say for the avast update. I can not have a variable set up by the dns name only by IP.

Farrukh Haroon Sat, 12/13/2008 - 05:54

The configuration guide reads that event action filters cannot be used for sweep signatures, but I've configured them on production IDSM-2s without any issues at all. You can also use the source/destination fields in the signature itself.

However you cannot use hostnames (and let the IPS resolve IPs for you). You have to use IPs. If the hostname maps to multiple IPs, you have to list all of them (using commas).

Just make sure you put RANGES in the event action filter and not individual IPs. e.g.

10.4.4.4-10.4.4.4, 13.13.13.1-13.13.13.255

You can also keep the destination IP address field as a wilrdcard (default).

Regards

Farrukh

Actions

This Discussion