Selective events from IPS

mohsin.khan · ‎02-14-2009

Hi, I know that to have selective events from devices, the logging level can be played with ON the reporting devies themselves, however, in case of IPS, i want to send only events for particular signatures matching, can it be done on IPS, or do i need to enable/disable rules in MARS?

dragnia_s · ‎02-15-2009

Hi,

Stopping events from being fired on the IPS is better, MARS will not have to process the unwanted events.

You have to select the signatures that you want to fire go to edit actions and check the produce alert field. Uncheck this field on the undesired signatures.

Or you can create a Drop rule in MARS in wich you select the undesired events from the IPS.

Stelian

Farrukh Haroon · ‎02-15-2009

Well you could either disable those rules in MARS (pretty tiresome), or subtract the 'produce alert' action using 'event action filters' in IPS.

Or you could select all signatures in the IPS GUI, right click to modify actions, remove the produce alert action at once from all of them. Then add 'Produce Alert' for the desired signatures only.

Regards

Farrukh

rajett · ‎02-16-2009

This is correct, but I'm curious as to why the original poster wants to disable visibility into security issues on their network with the exception of certain signatures.

It would be far better to properly tune out any remaining false positives and allow the IPS to do what it was designed to do.

An example would be to tune signature 3030 to fire on a count of 3 instead of 1.

Raymond