Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
4
Helpful
2
Replies

Tuning signature

Go to solution
ayolawrence
Level 1
Level 1

‎03-28-2008 08:49 PM - edited ‎03-10-2019 04:02 AM

Can someone help on how I can tune signature 2000 and 2004 to allow my monitoring PC to send ICMP to the target IP addresses. Whenever I enable these signatures my monitoring screen goes red.

Help fast pls.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chickman
Level 1
Level 1

‎03-29-2008 07:18 AM

Hi,

Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.

I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.

Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.

I really hope this assists.

View solution in original post

2 Replies 2

Go to solution
chickman
Level 1
Level 1

‎03-29-2008 07:18 AM

Hi,

Ok, so you'll want to create an exception to the rule here. So I understand it, you still want ICMP message to be alerted/blocked on the IPS except for your monitoring system.

I'm unsure if you'll be using the IDM/CSM or what not, so the instructions may vary. Just keep in mind you'll need to accomplish basically the same thing in either one.

Start by going to "Event Action Filters." Within here you'll need to create a new filter for what you want. Next, name is whatever is identifiable to your monitoring system, or whatever assist you. After this you'll just need to fill out the the rest, Signature ID being 2000 and 2004, "Attacker Address" is your monitoring system, victim you can leave wide open as you'll be scanning the subnet(s) for up/downs. OS Relevance, if you are running a 6.0 sensor, just make that selected for all, and then the important part, do you want to be alerted to this, do you want this blocked and such? So, for the items you do NOT want, just highlight them in the box. Also, you might want to select the "Stop on Match" box.

I really hope this assists.

Go to solution
ayolawrence
Level 1
Level 1
In response to chickman

‎03-29-2008 06:02 PM

I have been able to solve the problem with your simple explanation.

I am really grateful.

Thanx man.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card