Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AIP-SSM - Disabling a Signature for a specific host

Hi,

I am using an ASA-5510 with AIP-SSM, running 5.1 E1.

I am getting a lot of false positives from one internal relating to a TCP SYN Sweep.

I would like these not to be logged for this single host, but don't wish to globally disable or retire the signature.

Is this possible and if so, how?

Thanks in advance,

DAVE

3 REPLIES
Community Member

Re: AIP-SSM - Disabling a Signature for a specific host

This is configurable through:

Event Action Rules->Event Action Filters

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmevtrul.htm#wp1082564

-jonathan

Community Member

Re: AIP-SSM - Disabling a Signature for a specific host

Jonathan,

This is what I needed.

Thanks,

DAVE

Re: AIP-SSM - Disabling a Signature for a specific host

Dave, if you want to avoid the false positives for a signature you can create an event action filter and there you can specify the desired host and you can tell which action to filter, in this case you can filter the produce alert. Please check this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c1.html#wp1063299

I hope it helps

131
Views
13
Helpful
3
Replies
CreatePlease to create content