I have 2 sensors in place, one sensor sees a mirror of the inside interface of the PIX and the other one uses a mirror of the uplink ports to the servers Cat6500 switch. All my servers are in one class C address range.
In IEV, I get 2 alarms for every signature match from traffic off campus going to the servers (one alarm from the sensor inside the firewall and another from the sensor on the server room uplink.)
I want to create a filter that exclues alarms from the sensor inside the firewall ONLY when the destination IP address is in the servers class C address range.
Currently, the filter I made to do this removes all alarms from Sensor 2 (the firewall sensor) and IEV only shows data from Sensor 1 (servers). The filter I created has X by Dst Address and I added the address range of the servers. I also X'd Sensor Name of Sensor 2. Why doesnt this filter work the way I wanted it to (it seems like its missing an AND operator between these two conditions)?
Thanks,
Erik