Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Excluding Destination IP addresses fron an v5.x IPS Signature

"Customer is running VPN/Security Management Solution (VMS) 2.3 on Windows and Management Center for IDS Sensors . These manage 4240 IPS Sensors that have recently been upgraded fron running Cisco Intrusion Prevention System Release 4.x to v5.x.

Customer problem:

They want to exclude a destination IP address from a specific signature. Using an IPS loaded with V4 settings there was a place to do this within Management Center products such as VPN/Security Management Solution (VMS) 2.3 on Windows and or Management Center for IDS Sensors, but they cannot achieve this since they have upgraded to Release v5.x.

The customer has stated that the following link was how this could be achieved inManagement Center for IDS Sensors 2.0 for IDS sensors running Release v4.x

< http://www.cisco.com/en/US/customer/products/sw/cscowork/ps3990/products_user_guide_chapter09186a008031b030.html>

They need to know how to do this for managing IPS sensors with release v5. To them it looks like the filter (4.x) is the tool to use if you had a v4 sensor. In v5 this option is not their.

If anyone could inform us how to to exclude a destination IP address from a specific signature on a v5 sensor using a Management Center solution such as VPN/Security Management Solution (VMS) 2.3 on Windows or Management Center.

Thanks for any help.

6 REPLIES
New Member

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

New Member

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

Good afternoon.

How can you specify multiple hosts within this? Example, say I wanted to filter event notification of a specific signature from host 10.10.10.10 and 10.10.10.15, not a range, but specific hosts. I could obviously add 2 seperate EAF's, but we are limited to only 12 of these per sensor. With the older version we could do this quite simply and we were not limited to only 12 filters.

Anyway around this 12 rule limitation? Means we need to be VERY selective on what to filter.

Please advise.

Thanks,

-Brian

Silver

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

To accomplish this, just use commas to separate the different IPs on a singe filter....

New Member

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

I am having issues excluding attacker and victim addresses with false positives. I guess my question would be in the Signature Event Action Filters Table, when I create a new filter, what is the action that cause these filters to not show up in our event monitor? Is it the Stop on Match? Option or the Enable Action option?

Any help would be apprecaited.

Thanks

Dwane

Gold

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

event action filters are used to subtract actions and they are processed sequentially, sorta like an ACL. So if the default action for a signature is to "produce alert", you could create an event filter that only subtracts the "product alert" action. Stop on match refers to whether subsequent event filters should be applied. I haven't played with it much, but here's a theoretical example:

Let's say the signature above has the "deny inline" and "product alert" actions. You have a filter to subtract the "produce alert" action for just that sigid. Next you have an event filter that subtracts the "deny inline" action for a range of signatures, including the one above. If the 1st event filter has "stop on match" enabled, then the second filter will not get applied and the "deny inline" action will be performed.

New Member

Re: Excluding Destination IP addresses fron an v5.x IPS Signatur

What is simply the easiest way to exclude a device on our network from even being recorded in VMS? Is excluding the IP address from the alert from the signature action the best possible way to do this?

Thank you

207
Views
5
Helpful
6
Replies
CreatePlease login to create content