If the sensor that is generating the events is located outside of your perimeter firewall then I would suggest that you just try to summaries the events. I would not filter the events completely as that would create a false negative situation. The events that you receive are real and therefore you should be collected so that you are able to report statistics if required. I am assuming that the sensor is outside of the firewall. If it isn’t, then you should really investigate why this type of icmp is entering the network. If it is entering, you should make plans for how you can block it.

if you are not interested in stats and only want notification that your systems are trigger the sig you can create 2 rules and a system variable to define your IP network(s).

system variable to define your network(s) with host(s) or networks separated by a ,.

service alarm-channel-configuration virtualAlarm

tune-alarm-channel

systemVariables

USER-ADDRS1 a.b.c.d/24,a.b.c.d

Define the filter for the sig, in this case Nachi

service alarm-channel-configuration virtualAlarm

tune-alarm-channel

EventFilter

Filters DestAddrs * Exception True SIGID 2156 SourceAddrs $USER-ADDRS1 SubSig *

Filters DestAddrs * Exception False SIGID 2156 SourceAddrs * SubSig *

In version 4 the order makes no difference. In version 5 the order must be as shown above. So the first rule will trigger anytime an IP that is part of the defined variable USER-ADDRS1 as the source and the second rule says do not file at all. In effect triggering only when a host(s) in your network is suspected of generating the Nachi. I've used this with other virus an dworm related sigs as well, in particular sigid's 4701 and 4702 MSSQL, when they are seen by the sensor.

I got this from one of the Cisco folks in this forum. I put it in a tuning doc, but can't find the URL on this forum.