Does anyone know if it is possible to create an event action filter (IPS v5.1.5) that will also suppress summary events? I have a few signatures that I'm filtering, but still regularly see a ridiculously high number of summary events being reported.
If it helps, these tend to be for lower severity traffic that we expect to see to/from certain hosts on our network, but we want to alert on if the traffic starts appearing to/from unexpected hosts.
Complete these steps in order to add, edit, delete, enable, disable, and move event action filters:
Log in to IDM with an account that has administrator or operator privileges.
Choose Configuration > Policies > Event Action Rules > rules0 > Event Action Filters if the software version is 6.x. For the software version 5.x, choose Configuration > Event Action Rules > Event Action Filters.
Look closely at the summary alarms, in particular the source and destination IP addresses....they are often different than the original alarms that you built the filter on. In particular, the victim address is often 0.0.0.0. You'll need to modify the filter (or create a new one) to deal with the specifics of the actual summary alarms.
This is info that I have been given in the past, via this forum. It outlines a particluar methodology for tuning a given signature.
0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial
alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a
count of how often the source address triggered an event. Since the target could be different in the summary, it display it
This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a
target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary
However, in practice, we see summary alerts firing, in accompanyment to initial alerts, where the attacker (source) is the same. Typically, these can be closed, but if they fire in large numbers or in isolation, then you need to do some tweaking?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...