Selective events from IPS

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dragnia_s Sun, 02/15/2009 - 02:12
User Badges:


Stopping events from being fired on the IPS is better, MARS will not have to process the unwanted events.

You have to select the signatures that you want to fire go to edit actions and check the produce alert field. Uncheck this field on the undesired signatures.

Or you can create a Drop rule in MARS in wich you select the undesired events from the IPS.


Farrukh Haroon Sun, 02/15/2009 - 02:16
User Badges:
  • Red, 2250 points or more

Well you could either disable those rules in MARS (pretty tiresome), or subtract the 'produce alert' action using 'event action filters' in IPS.

Or you could select all signatures in the IPS GUI, right click to modify actions, remove the produce alert action at once from all of them. Then add 'Produce Alert' for the desired signatures only.



rajett Mon, 02/16/2009 - 08:30
User Badges:
  • Cisco Employee,

This is correct, but I'm curious as to why the original poster wants to disable visibility into security issues on their network with the exception of certain signatures.

It would be far better to properly tune out any remaining false positives and allow the IPS to do what it was designed to do.

An example would be to tune signature 3030 to fire on a count of 3 instead of 1.



This Discussion