help filtering

dmorone · ‎04-02-2002

Can't stop this false postitive. What am I doing wrong with filtering?

We have openview. When it scans the net that the sensor is on, it gives mucho false positives. I set up a sensor filter with CSPM - Filtering/Simple Filtering/Signature 2100 Net sweep-echo Subsig All, specify the IP address, role source, mask/32. OK, Command/Approve now.

I still get alarms with this sig/source IP.

marcabal · ‎04-02-2002

There is a known bug when selecting "SubSig All" while using Simple Filtering.

The 'SubSig All" will ONLY filter a zero "0" subsig.

If your subsig is something other than zero (look in your event viewer), then Simple Filtering won't work for you.

Instead convert your Simple filter to an Advanced Filter. The "SubSig All" will work properly with the Advanced Filter. You can set the destination to be "any" address when creating the Advanced Filter.

dmorone · ‎04-03-2002

Neither works. First off, the subsig is 0, so according to you, simple filtering should work. It doesn't. So I tried advanced, subsig all. Save/Update, Approve. Still the filter doesn't work.

marcabal · ‎04-04-2002

What version of the sensor are you running?

I know some Filtering DDTS Issues have been fixed since the original release of 3.0.

If you are running a version earlier than 3.0(5)S17 then would you be willing to upgrade to Service Pack 3.0(5)S17 to see if the problem is still repeatable?

(If you are running signature update 3.0(5)S18 or 3.0(5)S19 those are fine to use since they rely on 3.0(5)S17 having been installed)

If you continue to experience this issue then please provide the following:

1) Output of "nrvers" on the sensor

2) Output of "grep 2100 /usr/nr/etc/packetd.conf" on the sensor

3) Output of "grep ,2100, /usr/nr/var/log.*" on the sensor

The grep for ,2100, should contain the alarm that you are trying to filter out in order for us to diagnose the problem.

dmorone · ‎04-04-2002

OK now. Forgot to do save/update before Approve Now.