I am running 4 Cisco IPS-4255 IPS sensors with Cisco IME 7.2.6.
We would like to block all traffic between 2 IP addresses (22.214.171.124 and 126.96.36.199 for the sake of argument) for the signature TCP Source Port 0 (Sig ID 24199).
I've not been able to figure out how to do this.
So far, the only functions I've found to be similar to what I'm trying to achieve are to set the signature to deny all traffic instead of just the traffic between these IP addresses, or to deny all traffic between these IP addresses regardless of the signature. Neither of these are what we want as we still want to see the alert trigger for other attacker/victim combinations and other alerts with the same attacker/victim IPs. I've had a fiddle with setting some Event Action Filters but not sure if these are the way to go.
One thought we've had is to clone the signature in the sig0 policy and amend it for the required attacker and victim IPs. However, we are unsure how this would work with the global sig0 policy.
Can someone please advise if what I want to do is possible on the IME?