Event Action Filter not working

ola · ‎10-28-2009

Hi,

We are running an IDSM-2 with 7.0(1)E3 and 2 virtual sensors.

I want to filter alarms from sig 2004 for a monitoring server.

When adding an event action filter, it still sends alarms. Bug?? Is there another way to filter the alarms for a specific host?

Regards

/Ola

andrey.dugin · ‎10-28-2009

Event action rules set is assigned to virtual sensor. If you have assigned event action rules set to one virtual sensor and another rules to another vs:

rules0 - vs0

rules1 - vs1

you must create filter on every rules set to substract some action on whole sensor.

ola · ‎10-28-2009

Hi,

I tried to apply the same filter to both sensors, same result, I still get the alarms.

andrey.dugin · ‎10-28-2009

Sig 2004/0 ICMP Echo Request is disabled by default.

Did you activate the same action in signature action and substract action in the filter?

ola · ‎10-28-2009

I enabled the signature in one sensor and want to filter alarms for one specific ip address.

andrey.dugin · ‎10-28-2009

OK, but, for example, if you activate action "produce verbose alert" in signature but check the action to substract "produce alert" or don't check any filters must not work.

Post the config fragments of signature and of filters here.

ola · ‎10-29-2009

I removed produce alert on the signature.

Enabled it again and then reapplied the filter, and for some reason, it now works. Anyway, thanks for your help.