Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 5.x sig tuning event filters still showing in MARS

I have configured an event action filter on the IDS for a signature, and for my actions to subtract I have selected Log Attacker, Victim, and both, produce alert, and produce verbose alert. I am still getting alerts from my MARS box about this signaure from the IDS box. Any ideas as to why this is not getting filtered by my IDS?

2 REPLIES
Cisco Employee

Re: IDS 5.x sig tuning event filters still showing in MARS

Can you paste a copy of the alert as seen from "show events" on the sensor CLI?

Feel free to replace the IP addresses or other confidential information with XXX when posting the response.

My best guesses are:

1) An SNMP trap is being generated which forces an alert to be produced. If so then you also need to filter the requestSnmpTrap event action.

2) Your filter is not matching on the alert.

a) This can happen when a prior filter is matching the alert and the prior filter has "stop-on-match" set to "True". When set to "True" the "stop-on-match" parameter woudl prevent any later filters from being checked for that alert.

b) This can also happen when the fields in the alert are not an exact match to those in the filter. This is often the case when the alert is for a sweep of multiple addresses. Or if the alert is a Summary alert with the source or victim addresses and/or ports are not in the alert (or marked as 0.0.0.0).

New Member

Re: IDS 5.x sig tuning event filters still showing in MARS

I will try the requestSNMPTrap event action to be subtracted as well. When I run the sh events, I get....

Wood_IDS01# sh events

Could not subscribe to events: out of subscriptions

Please try again later

As far as a) and b) from above I don't think they are matching any other alert, and I have a broad range of addresses for this filter, and the ones being hit are in the range.

182
Views
0
Helpful
2
Replies