×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

help filtering

Unanswered Question
Apr 2nd, 2002
User Badges:

Can't stop this false postitive. What am I doing wrong with filtering?


We have openview. When it scans the net that the sensor is on, it gives mucho false positives. I set up a sensor filter with CSPM - Filtering/Simple Filtering/Signature 2100 Net sweep-echo Subsig All, specify the IP address, role source, mask/32. OK, Command/Approve now.


I still get alarms with this sig/source IP.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 04/02/2002 - 08:52
User Badges:
  • Cisco Employee,

There is a known bug when selecting "SubSig All" while using Simple Filtering.

The 'SubSig All" will ONLY filter a zero "0" subsig.

If your subsig is something other than zero (look in your event viewer), then Simple Filtering won't work for you.


Instead convert your Simple filter to an Advanced Filter. The "SubSig All" will work properly with the Advanced Filter. You can set the destination to be "any" address when creating the Advanced Filter.

dmorone Wed, 04/03/2002 - 13:12
User Badges:

Neither works. First off, the subsig is 0, so according to you, simple filtering should work. It doesn't. So I tried advanced, subsig all. Save/Update, Approve. Still the filter doesn't work.

marcabal Thu, 04/04/2002 - 06:57
User Badges:
  • Cisco Employee,

What version of the sensor are you running?

I know some Filtering DDTS Issues have been fixed since the original release of 3.0.


If you are running a version earlier than 3.0(5)S17 then would you be willing to upgrade to Service Pack 3.0(5)S17 to see if the problem is still repeatable?

(If you are running signature update 3.0(5)S18 or 3.0(5)S19 those are fine to use since they rely on 3.0(5)S17 having been installed)


If you continue to experience this issue then please provide the following:

1) Output of "nrvers" on the sensor

2) Output of "grep 2100 /usr/nr/etc/packetd.conf" on the sensor

3) Output of "grep ,2100, /usr/nr/var/log.*" on the sensor


The grep for ,2100, should contain the alarm that you are trying to filter out in order for us to diagnose the problem.




dmorone Thu, 04/04/2002 - 09:13
User Badges:

OK now. Forgot to do save/update before Approve Now.

Actions

This Discussion