Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to add an Event action filter when victim address is "<na>"?

Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.

I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.

The signatures are 3250 and 3251 (tcp hijacks).

6 REPLIES
Bronze

Re: How to add an Event action filter when victim address is "<n

Tune signatures to filter certain adddresses from triggering alerts. Specify ip addresses that are not on a single range, then you'll need tocreate the filters separatedly, specifying the ip addresses ranges where applies and individual ip addresses where it does not.

Community Member

Re: How to add an Event action filter when victim address is "<n

This is a good point that Cisco should really take note of.

I cannot remember the details and I don?t think that we where able to fully resolve it short of logging just another TAC call but here is my offering to this thread.

We tuned the signature 3030 to summarize rather then fire all. During the normal triggers the source are filtered out with the event filter but as soon as the signature begins to summarize, these events with out a definite destination (n/a) appear on the secmon console.

I am aware that it is possible to edit the signature itself to filter specific source or destinations from triggering events but I wonder if any one from cisco has tied to edit these fields in vms. Cut and paste just doesn?t work here so if you have a long list of IP addresses to filter on the signature, you have to type each one in, and to make it all more difficult, it has to be done in duplicate i.e. 10.0.0.1-10.0.0.1,192.168.0.1-192.168.0.1?..etc

Community Member

Re: How to add an Event action filter when victim address is "<n

marcabal has posted a very good explanation for sig 3030 here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9b49a%2F0#selected_message

It may also explain some of the other problems.

I would like to add that in any field usually means that the signature does not require anything in that field in order to fire, and therefore, it is truly "not applicable". In the referenced post, marcabl indicated that filters should be a little more controllable in version 5.1. However, we haven't upgraded from 5.0 yet so I couldn't confirm that. I would hope that regardless of whether the data is applicable to the signature or not, the sensor would gather and display the information in SecMon.

With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature.

Community Member

Re: How to add an Event action filter when victim address is "<n

Craig,

I'm having similiar issues with 3030 ever since I started to monitor more interfaces.

Can you think of a case where 3030 is protecting my network? When I first saw it fire I thought of SMTP virus activity or users with unknow departmental email servers. But since I've investigated the cause and effects, the activity appears to be routine web browsing...

Your opinion is appreciated...

Community Member

Re: How to add an Event action filter when victim address is "<n

Getting this alot with signature 5642 - DirectShow Overflow

Does represent a broadcast event? I do not understand the previous post that tries to explain how to filter ....any other thoughts?

Community Member

Re: How to add an Event action filter when victim address is "<n

Anyone have a solution here....we have alot of signature 3334 from IN to

How do you filter this?

169
Views
0
Helpful
6
Replies
CreatePlease to create content