You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. For the procedure on how to configure event action variables, see the Adding, Editing, and Deleting Event Action Variables section in the below URL:
The configuration guide reads that event action filters cannot be used for sweep signatures, but I've configured them on production IDSM-2s without any issues at all. You can also use the source/destination fields in the signature itself.
However you cannot use hostnames (and let the IPS resolve IPs for you). You have to use IPs. If the hostname maps to multiple IPs, you have to list all of them (using commas).
Just make sure you put RANGES in the event action filter and not individual IPs. e.g.
You can also keep the destination IP address field as a wilrdcard (default).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...