IDS 5.x sig tuning event filters still showing in MARS
I have configured an event action filter on the IDS for a signature, and for my actions to subtract I have selected Log Attacker, Victim, and both, produce alert, and produce verbose alert. I am still getting alerts from my MARS box about this signaure from the IDS box. Any ideas as to why this is not getting filtered by my IDS?
Re: IDS 5.x sig tuning event filters still showing in MARS
Can you paste a copy of the alert as seen from "show events" on the sensor CLI?
Feel free to replace the IP addresses or other confidential information with XXX when posting the response.
My best guesses are:
1) An SNMP trap is being generated which forces an alert to be produced. If so then you also need to filter the requestSnmpTrap event action.
2) Your filter is not matching on the alert.
a) This can happen when a prior filter is matching the alert and the prior filter has "stop-on-match" set to "True". When set to "True" the "stop-on-match" parameter woudl prevent any later filters from being checked for that alert.
b) This can also happen when the fields in the alert are not an exact match to those in the filter. This is often the case when the alert is for a sweep of multiple addresses. Or if the alert is a Summary alert with the source or victim addresses and/or ports are not in the alert (or marked as 0.0.0.0).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...