Filtering an Entire Subnet

crossmanj · ‎08-23-2001

My external sensors for one network are placed at the external router. This sensor sees traffic for two /23 subnets. I would like to filter either all inbound traffic, or if necessary, all traffic to the second subnet. Outbound traffic might still be nice for Acceptable-Use violations, but I don't want to see any of the inbound traffic for the second subnet.

Now then, how to do this? If I go into my 2.2.2 Director, I can go to excluded subnets, but there I must add a Sig, Sub-sig pair to the subnet. Does this mean that I must place an entry for every possible sig, sub-sig pair? Or is there a wild-card that can be used to match all sigs and sub-sigs? BTW, this would also be nice for other filters were I have to add a line for every possible sub-sig for a sig like packet fragmentation. (I have one server that uses fragmentation, and I keep having to add filters to catch lesser-used sub-sigs.)

As always, I am so grateful to y'all for your help....

marcabal · ‎08-23-2001

Upgrade your director to version 2.2.3. It is on CCO.

Once you've upgraded you can go to the new Filter tab.

the new filter tab has the ability to filter all signatures or groups of signatures to and from addresses or grups of addresses.

You can even select Internal or External (IN/OUT) instead of having to list all of your Internal or External addresses.

You can also wildcard the subsignature field (All SubSignatures) instead of having to list each subsignature independantly.

The new filter tab was designed for 3.0 sensors and will likely work for 2.5 sensors as well. There may be issues with older 2.2.1 sensors. (I've only tested it with 3.0 sensors.)

I am sure that the new filter tab will allow you to do what your are asking. But feel free to respond if you need help with the new filter tab.

rkodicek · ‎09-12-2001

Hi,

my SigSettings.conf looks like this:

...

RecordOfExcludedPattern 3050 80 172.168.1.1 *

...

Nevertheless I get alerts "Half-open Syn" with signature id 3050 and destination port 80!

Any ideas?

Thanks,

Rene

rene.kodicek@sbs.at

marcabal · ‎09-12-2001

Upgrade to 2.2.3 on the director and 3.0(1)S4 on the sensor.

The new 2.2.3 Unix Director allows you exclude (or even include, which is a new feature in 3.0 that overrides exludes) with the use of wildcards.

You can exclude all signatures, or exclude all subsignatures for a given set of signatures.

You can also use the keyword IN to filter on all Protected Networks, or the keyword OUT to filter on all addresses outside the Protected Networks. These 2 new keywords can be used for either the source and/or destination addresses in your filter.

I think once you've upgraded to 2.2.3 and the 3.0 sensor then you will be able to do everything you requested in your post.

rkodicek · ‎09-13-2001

I'm sure, I've the right versions:

idsvers on the director:

>idsvers

Application Versions for Director.Siemens

The version of the signature update currently installed is: S7

postofficed v2.2.1.1 (release) 00/10/03-13:29

loggerd v2.2.1 (release) 99/07/19-20:15

configd v2.2.1 (release) 99/07/19-20:10

sapd v2.2.1.1 (release) 00/03/31-17:56

fileXfer v2.2.1 (release) 99/07/19-20:22

smid v2.2.1.1 (release) 01/03/21-14:53

and on the sensor:

>idsvers

Application Versions for DMZ.Siemens

The Version of the Sensor is: 3.0(1)S7

postoffice v175 (Release) 01/07/11-21:50

logger v175 (Release) 01/07/11-21:49

sap v175 (Release) 01/07/11-21:50

fileXfer v175 (Release) 01/07/11-21:48

sensor v175 (Release) 01/07/11-15:33