Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Signature tuning and alert summaries

Some signatures, let's use 5769 (Malformed HTTP Request) as an example, perform event summarization. If I apply an event action filter to the signature to tune out FP's coming from a specific host, the individual events indeed go away, but the summary events still flood my logs.

I'm looking for some advice on good practice for eliminating both the individual events AND the summary events when I'm tuning these sigs with event summarization. Editing the signature itself is the only way I've found, which I don't really like. Any comments would be appreciated.

Thanks

4 REPLIES
New Member

Re: Signature tuning and alert summaries

Hi, in our practice for IPS sensor case, we edit the signature itself to reduce the alert frequency. Following is one example. We tried in this way and so far false-positive alarms are reduced unless it is a out-break of the alerts.

SID: 12673: Recognized content type

Recommended Changes:

Event Count: 6000

Event Counter Key: Attacker Address

Specify Alert Interval: Yes/60 seconds

Gold

Re: Signature tuning and alert summaries

I've seen this question asked numerous times and don't recall ever seeing a good answer from a Cisco representative. Can someone from Cisco provide some input? Is there an existing bugid?

New Member

Re: Signature tuning and alert summaries

I'm still looking for any answer to this same question. This behavior doesn't seem correct since the sig event action filter is processes to subtract the event before the summary event filter. Does anyone know if this is a bug or if Cisco has responded on this topic? I couldn't find anything.

New Member

Re: Signature tuning and alert summaries

I ended up talking with TAC about this.. turns out that since the event summarizer produces alerts for multiple hosts, the attacker (or victim) is listed as 0.0.0.0. If the filter is not set to eliminate events from ANY ip address, then it will let those summaries through as well. This is a design flaw in my estimation.. Cisco seems to realize this is a limitation, but no fix is available.

141
Views
0
Helpful
4
Replies