Some signatures, let's use 5769 (Malformed HTTP Request) as an example, perform event summarization. If I apply an event action filter to the signature to tune out FP's coming from a specific host, the individual events indeed go away, but the summary events still flood my logs.
I'm looking for some advice on good practice for eliminating both the individual events AND the summary events when I'm tuning these sigs with event summarization. Editing the signature itself is the only way I've found, which I don't really like. Any comments would be appreciated.
Hi, in our practice for IPS sensor case, we edit the signature itself to reduce the alert frequency. Following is one example. We tried in this way and so far false-positive alarms are reduced unless it is a out-break of the alerts.
I'm still looking for any answer to this same question. This behavior doesn't seem correct since the sig event action filter is processes to subtract the event before the summary event filter. Does anyone know if this is a bug or if Cisco has responded on this topic? I couldn't find anything.
I ended up talking with TAC about this.. turns out that since the event summarizer produces alerts for multiple hosts, the attacker (or victim) is listed as 0.0.0.0. If the filter is not set to eliminate events from ANY ip address, then it will let those summaries through as well. This is a design flaw in my estimation.. Cisco seems to realize this is a limitation, but no fix is available.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...