Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

filtering the sweep signatures


I'm wondering if somebody is using the filters to get get rid of the logging for the antivirus updates. Usually the antivirus updates cause the signature 2100 to fire.

IPS configuration guide says:

When filtering sweep signatures we recommend, that you do not use the destination address. If they are several destination addresses, only the last address is used for matching the filter.

I'm kind of learning IPS by trial and error in the test environment. Maybe somebody can share the experience from the real production environment.



Re: filtering the sweep signatures

You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. For the procedure on how to configure event action variables, see the Adding, Editing, and Deleting Event Action Variables section in the below URL:

New Member

Re: filtering the sweep signatures

Thanks, but it looks like it doesn't work for signature 2100

LAN workstation are trying to go the different addresses on the internet let's say for the avast update. I can not have a variable set up by the dns name only by IP.

Re: filtering the sweep signatures

The configuration guide reads that event action filters cannot be used for sweep signatures, but I've configured them on production IDSM-2s without any issues at all. You can also use the source/destination fields in the signature itself.

However you cannot use hostnames (and let the IPS resolve IPs for you). You have to use IPs. If the hostname maps to multiple IPs, you have to list all of them (using commas).

Just make sure you put RANGES in the event action filter and not individual IPs. e.g.,

You can also keep the destination IP address field as a wilrdcard (default).