Creating a better filter

ball · ‎12-10-2002

I have 2 sensors in place, one sensor sees a mirror of the inside interface of the PIX and the other one uses a mirror of the uplink ports to the servers Cat6500 switch. All my servers are in one class C address range.

In IEV, I get 2 alarms for every signature match from traffic off campus going to the servers (one alarm from the sensor inside the firewall and another from the sensor on the server room uplink.)

I want to create a filter that exclues alarms from the sensor inside the firewall ONLY when the destination IP address is in the servers class C address range.

Currently, the filter I made to do this removes all alarms from Sensor 2 (the firewall sensor) and IEV only shows data from Sensor 1 (servers). The filter I created has X by Dst Address and I added the address range of the servers. I also X'd Sensor Name of Sensor 2. Why doesnt this filter work the way I wanted it to (it seems like its missing an AND operator between these two conditions)?

Thanks,

Erik

gfullage · ‎12-10-2002

The way the filtering in IEV works is that the two options are NOT and'd together, you've basically created two separate filters by clicking on Dest Address and on Sensor Name, so it's working as we would expect.

There's no easy way to filter out what you want in IEV itself. You can filter this out on the sensor itself more easily, which will then stop the sensor from even sending the alert to IEV in the first place. Just https:// to the sensor and go under Configuration - Sensing Engine - Filtered Signatures and filter by Destination IP in there. This'll save bandwidth and log space as these events won't be sent to IEV in the first place.