Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

tuning 3883 by attacker IP

how can I tune sig 3883 by attacker IP? Our VMS server is triggering this alert when it hits cisco (probably for sig updates) so i want to tune the sig so it ignores alerts from the VMS server.

i dont see an option under "tune" for that signature for the attacker or victim IPs.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: tuning 3883 by attacker IP

event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.

as far as lowering the severity...the only way to do that is by modifying the specific signature.

3 REPLIES
Gold

Re: tuning 3883 by attacker IP

You don't need tune the signature, you need to create an event action filter.

New Member

Re: tuning 3883 by attacker IP

i was looking in that area but did not see a way that the event action filter could generate no event, or an event of a lower severity level than was set on the signature itself. All that looked to let me do was tell it was action to take, IE shun, block, reset, alarm, etc.

i want it to do nothing if it is an attacker ip of x.x.x.x or s.s.s.s

Gold

Re: tuning 3883 by attacker IP

event action filters are used to subtract actions (not add) based on the filtering criteria. It's very clear when directly managing the sensor, it may not be so clear in VMS. So, you need to create an event action filter for that attacker ip.

as far as lowering the severity...the only way to do that is by modifying the specific signature.

126
Views
0
Helpful
3
Replies
CreatePlease to create content