Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom string signature filtering using simple filtering

I am using Sensor 3.0 (1) s4. I have created a string signature which was working properly. Later on I tried to filter that string signature using simple filtering.

1. I cannot see my signature in the subsignatures list under the string signatures in the tab simple fitering/add.

2. Even if I filter all subsignatures under string signatures, I still get alerts for that subsignature.

Any hints?

1 REPLY
Cisco Employee

Re: Custom string signature filtering using simple filtering

Known Issue.

Simple Filtering does not actually filter all sibsugs.

The All Subsigs should have actually said the "0" subsig.

Since your custom string is not the "0" subsig this will not work.

Try the following:

Use the Epilogue configuration window and enter the following line:

RecordOfExcludedPattern 8000

where

subsigid = the subsignature id number assigned to you custom string match

srcaddress = the list of addresses or networks as the source of the alarm or "*" to designate any source address

dstaddress = the list of addresses or networks as the destination of the alarm or "*" to designate any destination address.

Example:

RecordOfExcludedPattern 8000 2302 10.1.1.1 *

90
Views
0
Helpful
1
Replies