Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Creating extended filters at the sensor

Dear List,

I would like to find out if it would be possible to create a filter at the NIDS sensor that would allow filtering down to port level

Since most of the src IP addresses in the table below appear to be dns servers, I can only conclude that this is a false positive for SIG 4002.

I’d like to be able to create a filter for signature 4002 any src 52 > my.dns 32772 to be exclude.

4002 204.61.216.7 my.dns.server 53 32772

4002 192.54.112.30 my.dns.server 53 32772

4002 193.190.135.4 my.dns.server 53 32772

4002 80.84.227.141 my.dns.server 53 32772

snip

4002 192.54.112.30 my.dns.server 53 32772

4002 195.121.1.38 my.dns.server 53 32772

Can it be done?

1 REPLY
Cisco Employee

Re: Creating extended filters at the sensor

This is not supported in version 3.1 sensors.

The filters do not supported filtering by source or destination port, and the engine definition for 4002 does not support specifying the ports.

HOWEVER,

This can be done in version 4.0 sensors.

The filters still do not support filtering by source or destination port, but the FLOOD.HOST.UDP engine in 4.0 contains new parameters for filtering specific ports from being analyzed for this signature.

The new parameters are:

ExcludeDst1: 2049

ExcludeDst2: 161

ExcludeDst3:

ExcludeSrc1: 2049

ExcludeSrc2: 161

ExcludeSrc3:

You can enter port 52 as ExcludeSrc3.

Here is the signature configuration entry for 4002 in a 4.0 sensor:

-----------------------------------------------

version: 4.0

signatures (min: 0, max: 1000, current: 1)

-----------------------------------------------

SIGID: 4002

SubSig: 0

AlarmDelayTimer: 10

AlarmInterval:

AlarmSeverity: low

AlarmThrottle: FireAll

AlarmTraits:

ChokeThreshold:

Enabled: False

EventAction:

ExcludeDst1: 2049

ExcludeDst2: 161

ExcludeDst3:

ExcludeSrc1: 2049

ExcludeSrc2: 161

ExcludeSrc3:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits:

Protocol: UDP

Rate: 100

ResetAfterIdle: 15

SigComment:

SigName: UDP Host Flood

SigStringInfo:

SigVersion: S37

StorageKey: xxBx

SummaryKey: AaBb

ThrottleInterval: 15

WantFrag:

-----------------------------------------------

84
Views
0
Helpful
1
Replies
CreatePlease to create content