03-09-2007 08:34 AM - edited 03-10-2019 03:30 AM
We upgraded one of our sensors to 6.0(1)E1 and now we are seeing extremely high alerts on this particular signature. The signature is NOT set to alert. Any ideas on what we can do to stop the alert other than filter something that should not need filtering?
Thanks,
Solved! Go to Solution.
03-09-2007 11:38 AM
Its actually one of the more common oversights....
03-09-2007 11:15 AM
Do you have an event action override installed on the system to generate an alert for a risk rating (RR) greater than some value? If so, then even signatures that are set to "no action" will get the override applied if their resultant RR satifies the override criteria.
If this is the case, then you have several options...you can adjust the override to raise the minimum RR value that triggers the override, or, you can tune the signature to lower its effect RR. The later can be accomplished by lowering either its Severity level (info, low, medium, high etc) or lowering its Fidelity value.
The signature helps address some covert channels used by some exploit software.
03-09-2007 11:28 AM
You are correct...there was an event action override to alert 0-100.
I thought this was removed by the other analyst and was thrown by the new alerts coming in from 6.0 but not triggered in 5(4).
Thanks....feeling sheepish now.
03-09-2007 11:38 AM
Its actually one of the more common oversights....
03-09-2007 11:25 AM
Is it possible that you have an override to add an alert action?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: