×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

About filter of signature

Unanswered Question
Jul 24th, 2001
User Badges:

We use CSPM(ver2.5i) and CSIDS(ver2.2.1.8) now.

Although I want to configure filter of whole signature by Source IP address unit. I look like that We can configure filter for each signature on CSPM and We can't filter with Source IP address unit. If possible it, Please tell me how to configure. or Can be this function fixed by applying CSPM and CSIDS Patch?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Wed, 07/25/2001 - 07:23
User Badges:
  • Cisco Employee,

This feature is available in the sensor V2.5 and above.

You will need to upgrade to CSPM 2.3.1i and the latest sensor version 2.5(1)S3.

Then use the Epilogue Feature in CSPM to add RecordOfExcludedPattern lines to exclude the signatures that you want.


The Epilogue Feature directions are explained in:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch06.htm#969006


The RecorOfExcludedPatterns are described in:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid2830510


So you could use the Epilogue feature to add the following RecordOfExcludedPatterns for example:

RecordOfExcludedPattern * * 10.1.1.1 *

RecordOfExcludedPattern 2100,3050 * 10.2.2.2,10.2.2.3 10.3.3.0-10.3.3.255


NOTE: Ordinarily this would be done using the AdvancedFilter Tab in the CSPM configuration area, but there is a bug in CSPM that causes a "0" instead of the "*" to be used in the field for the subsignature. Once this is fixed in CSPM then you would be able to use the AdvancedFilter Tab instead of the Epilogue feature to configure the excludes.

Actions

This Discussion