×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to add an Event action filter when victim address is "<na>"?

Unanswered Question
Jun 7th, 2006
User Badges:

Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.


I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.


The signatures are 3250 and 3251 (tcp hijacks).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fmeetz Tue, 06/13/2006 - 06:12
User Badges:
  • Bronze, 100 points or more

Tune signatures to filter certain adddresses from triggering alerts. Specify ip addresses that are not on a single range, then you'll need tocreate the filters separatedly, specifying the ip addresses ranges where applies and individual ip addresses where it does not.

darin.marais Thu, 06/15/2006 - 12:52
User Badges:

This is a good point that Cisco should really take note of.


I cannot remember the details and I don?t think that we where able to fully resolve it short of logging just another TAC call but here is my offering to this thread.


We tuned the signature 3030 to summarize rather then fire all. During the normal triggers the source are filtered out with the event filter but as soon as the signature begins to summarize, these events with out a definite destination (n/a) appear on the secmon console.


I am aware that it is possible to edit the signature itself to filter specific source or destinations from triggering events but I wonder if any one from cisco has tied to edit these fields in vms. Cut and paste just doesn?t work here so if you have a long list of IP addresses to filter on the signature, you have to type each one in, and to make it all more difficult, it has to be done in duplicate i.e. 10.0.0.1-10.0.0.1,192.168.0.1-192.168.0.1?..etc

craig.lepchenske Sun, 07/09/2006 - 02:30
User Badges:

marcabal has posted a very good explanation for sig 3030 here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9b49a%2F0#selected_message


It may also explain some of the other problems.


I would like to add that in any field usually means that the signature does not require anything in that field in order to fire, and therefore, it is truly "not applicable". In the referenced post, marcabl indicated that filters should be a little more controllable in version 5.1. However, we haven't upgraded from 5.0 yet so I couldn't confirm that. I would hope that regardless of whether the data is applicable to the signature or not, the sensor would gather and display the information in SecMon.


With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature.

Craig,


I'm having similiar issues with 3030 ever since I started to monitor more interfaces.


Can you think of a case where 3030 is protecting my network? When I first saw it fire I thought of SMTP virus activity or users with unknow departmental email servers. But since I've investigated the cause and effects, the activity appears to be routine web browsing...


Your opinion is appreciated...

Actions

This Discussion