Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
4
Replies

3111 alarm

r.zekic
Level 1
Level 1

‎11-05-2001 01:11 PM - edited ‎03-08-2019 09:04 PM

How to exclude 3111 alarms? tried normal way, but could not find the 3111 alarm in alrm list.

it is for sircam worm.our smtp server is unix box, and amount of 3111 alarms is more than overwelming. sensors are 3.0(2) S10, Director is 2.2.3.

thanks,

ross

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎11-05-2001 03:25 PM

The method depends on the management platform.

For CSPM use hte Advanced Filter Tab, and for nrConfigure use the Filter tab.

Be sure to have the latest signature update loaded on both the sensors as well as the management stations. Without it on the management station the management station won't know how to exclude it.

In a worst case scenario you can:

1)If using nrConfigure manually add the following line to the bottom of packetd.conf on the sensor

then double click on the sensor in nrConfigure

donwload the change packetd.conf file with the change

then apply the same version in order to have the sensor read the configuration.

RecordOfExcludedPattern 3111 * *

example:

RecordOfExcludedPattern 3111 * * 10.10.10.10

2) If using CSPM then place the above line in the Epilogue field, update the database, and approve the configuration. Items in the Epilogue will be added to packetd.conf.

If you just want to turn the signature off then

1) If using nrConfigure set the severity level of the sig to 0

2) If using CSPM desable the signature by removing the enable checkmark

0 Helpful

r.zekic
Level 1
Level 1

‎11-07-2001 06:22 AM

Hi All,

It's me again. Can anyone help me in finding the way to exclude

alarm 3111 using UNIX Director, HP Open view GUI. I do not use CSPM for NT. Is this some sort of bug or problem in software so it do not see all signatures?

thanks,

ross

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to r.zekic

‎11-07-2001 10:28 AM

This may be an issue with the software.

I would recommend calling the TAC so they can enter a bug.

As a workaround try entering a RecordOfExcludedPattern line directly in packetd.conf:

Format: RecordOfExcludedPattern

So to exclude 3111 with mutliple destination addresses:

RecordOfExcludedPattern 3111 * * 10.1.1.1,10.1.1.5,10.1.1.6

Or for an entire network:

RecordOfExcludedPattern 3111 * * 10.1.1.1-10.1.1.255

Then next time you open the sensor in nrConfigure it should ask to download the new packetd.conf file.

Answer yes.

nrConfigure should read in the new line and repeat in all future changes to packetd.conf, though I have not tested to verify it.

0 Helpful

ekrishna
Level 1
Level 1

‎11-07-2001 10:03 PM

The Signature 3111 is in the filter but it is not in the order.

You could see the 3111 signature next to 3992 or above 4000 signature

0 Helpful
Customers Also Viewed These Support Documents