Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AIP SSM-10 policy help

I am modifying one of the policies on the IPS on my 5520 that I just setup.

What I want to do is remove the false negatives coming from the DMZ with signature 3030 (TCP SYN Host Sweep)

I want to filter out the IP range of but I can't make it to accept it.

What do I need to put in the line src-addr-filter to do this? thanks.

New Member

Re: AIP SSM-10 policy help

You should be able to go to event action rules.

add a rule.

include the sig ID 3030.

I typically leave the sub sig to the default (0-255).

the source will be your DMZ network (

The destination will probably be the default (

The next key change will be the actions to subtract. You will want to subtract produce alert (the default action for 3030). Most of the time I subtract all actions. That way if I change a signature later I won't have a unexpected result. For example say you start blocking attackers that do a TCP SYN sweep (3030). If you only subtract product alerts, then you might start blocking you DMZ hosts and but not produce any alerts.

Lastly, you may want to tune sig 3030. 15 unique SYN packets in 60 seconds is pretty low. I have a sensor set to 30 in 5 seconds.

New Member

Re: AIP SSM-10 policy help

thanks, so I went into Event Action Rules, rules0, created a new EVENT ACTION FILTER and followed your instructions to filter out SIGID 3030 when triggered by IP (see attached picture)

looks ok?