How to add an Event action filter when victim address is "<na>"?

tgarma · ‎06-07-2006

Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.

I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.

The signatures are 3250 and 3251 (tcp hijacks).

fmeetz · ‎06-13-2006

Tune signatures to filter certain adddresses from triggering alerts. Specify ip addresses that are not on a single range, then you'll need tocreate the filters separatedly, specifying the ip addresses ranges where applies and individual ip addresses where it does not.

darin.marais · ‎06-15-2006

This is a good point that Cisco should really take note of.

I cannot remember the details and I don?t think that we where able to fully resolve it short of logging just another TAC call but here is my offering to this thread.

We tuned the signature 3030 to summarize rather then fire all. During the normal triggers the source are filtered out with the event filter but as soon as the signature begins to summarize, these events with out a definite destination (n/a) appear on the secmon console.

I am aware that it is possible to edit the signature itself to filter specific source or destinations from triggering events but I wonder if any one from cisco has tied to edit these fields in vms. Cut and paste just doesn?t work here so if you have a long list of IP addresses to filter on the signature, you have to type each one in, and to make it all more difficult, it has to be done in duplicate i.e. 10.0.0.1-10.0.0.1,192.168.0.1-192.168.0.1?..etc

craig.lepchenske · ‎07-09-2006

marcabal has posted a very good explanation for sig 3030 here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9b49a%2F0#selected_message

It may also explain some of the other problems.

I would like to add that in any field usually means that the signature does not require anything in that field in order to fire, and therefore, it is truly "not applicable". In the referenced post, marcabl indicated that filters should be a little more controllable in version 5.1. However, we haven't upgraded from 5.0 yet so I couldn't confirm that. I would hope that regardless of whether the data is applicable to the signature or not, the sensor would gather and display the information in SecMon.

With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature.

DFiore · ‎08-02-2006

Craig,

I'm having similiar issues with 3030 ever since I started to monitor more interfaces.

Can you think of a case where 3030 is protecting my network? When I first saw it fire I thought of SMTP virus activity or users with unknow departmental email servers. But since I've investigated the cause and effects, the activity appears to be routine web browsing...

Your opinion is appreciated...

enelson · ‎07-05-2006

Getting this alot with signature 5642 - DirectShow Overflow

Does represent a broadcast event? I do not understand the previous post that tries to explain how to filter ....any other thoughts?

enelson · ‎07-20-2006

Anyone have a solution here....we have alot of signature 3334 from IN to

How do you filter this?