06-07-2006 06:02 AM - edited 03-10-2019 03:03 AM
Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.
I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.
The signatures are 3250 and 3251 (tcp hijacks).
06-13-2006 06:12 AM
Tune signatures to filter certain adddresses from triggering alerts. Specify ip addresses that are not on a single range, then you'll need tocreate the filters separatedly, specifying the ip addresses ranges where applies and individual ip addresses where it does not.
06-15-2006 12:52 PM
This is a good point that Cisco should really take note of.
I cannot remember the details and I don?t think that we where able to fully resolve it short of logging just another TAC call but here is my offering to this thread.
We tuned the signature 3030 to summarize rather then fire all. During the normal triggers the source are filtered out with the event filter but as soon as the signature begins to summarize, these events with out a definite destination (n/a) appear on the secmon console.
I am aware that it is possible to edit the signature itself to filter specific source or destinations from triggering events but I wonder if any one from cisco has tied to edit these fields in vms. Cut and paste just doesn?t work here so if you have a long list of IP addresses to filter on the signature, you have to type each one in, and to make it all more difficult, it has to be done in duplicate i.e. 10.0.0.1-10.0.0.1,192.168.0.1-192.168.0.1?..etc
07-09-2006 02:30 AM
marcabal has posted a very good explanation for sig 3030 here:
It may also explain some of the other problems.
I would like to add that
With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature.
08-02-2006 11:22 AM
Craig,
I'm having similiar issues with 3030 ever since I started to monitor more interfaces.
Can you think of a case where 3030 is protecting my network? When I first saw it fire I thought of SMTP virus activity or users with unknow departmental email servers. But since I've investigated the cause and effects, the activity appears to be routine web browsing...
Your opinion is appreciated...
07-05-2006 10:40 AM
Getting this alot with signature 5642 - DirectShow Overflow
Does
07-20-2006 01:20 PM
Anyone have a solution here....we have alot of signature 3334 from IN to
How do you filter this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: