Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

how to add a alert filter in ipsmc for version 5 signatures

I am trying to understand how event or alert filters work in version 5.x. If I use VMS ipsmc to manage the sensors, how do you add a sensor filter for a particular event that we do not want to see appear in the SecMon console any more.

It looks like you have one of two options however i am not sure of the method to follow. you could edit the signature its self or it seems that you must use “Configuration Settings > Event Actions (IPS 5.x) > SigEvent Action Filters”

I would like to create a filter from any to a single address host IP address but when I select the add button, I only have the option to specify a range of addresses. Do I just enter the single address in the start field and then leave the finish field blank?

The filter should “not alert” or “take any action”. How do I exclude certain destination or source IPs from producing an alert?

Community Member

Re: how to add a alert filter in ipsmc for version 5 signatures

We are still trying to get this filter to work. Can anybody give us an example of how it should look on the sensor?

The sensor filter that we would like to create should “exclude” any source IP, any source port to specific destination hosts on all destination ports (icmp has none) from capturing events and storing them in the event store on the sensor.

This is the filter that we have so far on the sensor. What’s the problem with it?

! ------------------------------

service event-action-rules rules0

filters edit icmp-w-echo-filter-sensor-sensor-0-D

signature-id-range 2100

subsignature-id-range 0-255


victim-address-range a.b.c.x,a.b.c.y

attacker-port-range 0-65535

victim-port-range 0-65535

risk-rating-range 0-100

no actions-to-remove

deny-attacker-percentage 100

filter-item-status Enabled

stop-on-match False

no user-comment


filters move icmp-w-echo-filter-sensor-sensor-0-D begin



Re: how to add a alert filter in ipsmc for version 5 signatures

I don't normally look at the config file via the CLI, but I suspect it has something to do with "no actions-to-remove". You should have some actions in there, at least "product-alert". Here is what shows up in a "sh conf" for one of my filters:

filters edit Q00013

signature-id-range 6508

attacker-port-range 53

actions-to-remove request-block-connection|request-block-host|deny-attacker-inline|deny-packet-inline|deny-connection-inline|log-attacker-packets|log-victim-packets|log-pair-packets|reset-tcp-connection|produce-alert|produce-verbose-alert|request-snmp-trap

user-comment sigs to ignore if src port = 53 (dns reply)


CreatePlease to create content