I have 2 sensors in place, one sensor sees a mirror of the inside interface of the PIX and the other one uses a mirror of the uplink ports to the servers Cat6500 switch. All my servers are in one class C address range.
In IEV, I get 2 alarms for every signature match from traffic off campus going to the servers (one alarm from the sensor inside the firewall and another from the sensor on the server room uplink.)
I want to create a filter that exclues alarms from the sensor inside the firewall ONLY when the destination IP address is in the servers class C address range.
Currently, the filter I made to do this removes all alarms from Sensor 2 (the firewall sensor) and IEV only shows data from Sensor 1 (servers). The filter I created has X by Dst Address and I added the address range of the servers. I also X'd Sensor Name of Sensor 2. Why doesnt this filter work the way I wanted it to (it seems like its missing an AND operator between these two conditions)?
The way the filtering in IEV works is that the two options are NOT and'd together, you've basically created two separate filters by clicking on Dest Address and on Sensor Name, so it's working as we would expect.
There's no easy way to filter out what you want in IEV itself. You can filter this out on the sensor itself more easily, which will then stop the sensor from even sending the alert to IEV in the first place. Just https:// to the sensor and go under Configuration - Sensing Engine - Filtered Signatures and filter by Destination IP in there. This'll save bandwidth and log space as these events won't be sent to IEV in the first place.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :