Is it possible to setup different event levels for the same signature, based on the ip range of the source / destionation address ?
This would be very handy for some problems. Take the CodeRed for example. Incoming CodeRed packets are, at the moment, only for statistical purposes interesting. But outgoing traffic with this signature is a real problem. I would like to configure event level 2 or 3 for the incoming and 5 for outgoing. But I could not find any hint how to do this.
Let's assume you want this to be applied to the "external" traffic so set it as a level 2 severity. You are going to keep the built in signature (5126) as it is at a level 5.
In the SigSettings.conf file add the following lines at the bottom of the file.
RecordOfExcludedPattern 20000 * IN * (This will only work if you've defined your protected network with the RecordOfInternalAddress token, excludes this signature from firing on internally generated events)
RecordOfExcludedPattern 5126 * OUT * (This will only work if you've defined your protected network with the RecordOfInternalAddress token, excludes this signature form firing on externally generated events)
This example assumes you have no signature 20000, please use auto generate in SigWizMenu to insure you do not have overlap. In the RecordOfExcludedPattern for the external signatuire you must be sure to use the autugenerated SigId as well.
Re: Different event levels for the same signature ?
Actually this would be handy for a lot of things....
The ingress/egree issue with Code red is a good example, though we solved it a slightly different way with the creation of a new alarm level, and alerting only on IN-to-OUT traffic for that alarm level.
But being able to choose responses by IP for the same signature would be valuable in several ways. Here's my-off-the cuff thoughts:
1 - Ability to monitor/alert/respond differently for servers with higher SLA requirements (eg, have higher mission critical nature)
2 - Ability to alert OS-specific, or App-specific, detects. Cold Fusion detects shouldn't get people out of bed when seen against an IIS server, but on a Cold-Fusion server, well....
3 - In the last 7 days, we've gotten 227 DNS Version Requests, but few of those were directed to DNS servers, which (maybe) should be responded to a bit more aggressively.
Anyway, all of my other examples are related to these basic themes, attacks on ports that are open versus ones that aren't (UDP), customizing responses based on appropriateness of data for a server configuration, etc. I'm sure y'all get the feel.... :-)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :