Does anyone have a reference for understanding how to create Event Action Filters? I had a filter in place to remove the false positives created by my Proxy servers and the rule has disappeared. I still have the $HTTP_PROXY variable just no rule.
I created a filter to subtract the Produce Alert Action from the 3030 Signature ID matching the $HTTP_PROXY attacker address and keeping the generic victim address". It seems to be working but I am not sure if that is the correct way.
I have also been given recommendations that this is not correct and should use one of the following...
This is my test filter I created without the stop on match checked
When you added the Filter, did you click Apply and log off gracefully? Are you using VMS with IPS Management - could a lack of syncing VMS with your sensor have caused an overwrite? It might have deleted if your syntax was wrong.
I recommend you remove the public/private IP addresses of your proxy server from your original post - you've just identified a key component of your security infrastructure.
You want stop on match checked if you don't want any more precise filters to override your first filter. Your victim address range should be 0.0.0.0-255.255.255.255.
Create your rule using the GUI - save - then go back to the CLI and copy the text version. You can then use that as a template for future rules. I personally prefer the GUI for something as complex as that.
I created the original filter via the GUI but I guess was just a little impatient in waiting for it to fire. While I was waiting I went ahead and pasted the recommended filter onto the CLI and did the apply but I had to reload the sensor to get it to appear in the list. That is when I noticed that both my original and the recommended solutions were basically the same.
I am not using the VMS as I only have one sensor. Am I loosing somethig by not using it?
I do like the GUI interface better than the CLI as it makes adding and changing things easier. Now I just need to learn and understand everything that is in the event log.
I thought about pulling the IP addresses but message was already permanent when I cam back to change.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...