Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tuning signature

Can someone help on how I can tune signature 2000 and 2004 to allow my monitoring PC to send ICMP to the target IP addresses. Whenever I enable these signatures my monitoring screen goes red.

Help fast pls.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Tuning signature

Hi,

Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.

I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.

Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.

I really hope this assists.

2 REPLIES
New Member

Re: Tuning signature

Hi,

Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.

I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.

Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.

I really hope this assists.

New Member

Re: Tuning signature

I have been able to solve the problem with your simple explanation.

I am really grateful.

Thanx man.

113
Views
4
Helpful
2
Replies