Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
5
Helpful
3
Replies

Filters not activated on IDS sensors

jodr
Level 1
Level 1

‎09-17-2003 05:11 AM - edited ‎03-09-2019 04:49 AM

We are having troubles installing filters on our sensors via the IDS MC. We configure filters in IDS MC, but they are apparently not applied to the sensors. No events are being filtered !

Johan Derycke.

Labels:
0 Helpful
3 Replies 3

8rpalmer
Level 1
Level 1

‎09-18-2003 06:19 AM

I'm having the same problems here, but I would venture to say that the problems we are experiencing are limited to filters which use an IP Range for the Source or Destination IP fields. If we change the range to an asterisk (*) then the filter works. Change it back to a range statement, and it doesn't work. This may be the case with your problem. If so, recommend you open a TAC Case as I have and lets get Cisco to fix the problem.

I know there were import issues with IDS MC when adding a previously confifured sensor which contained address ranges in the filters and also the same problem with filters which used the asterisk (*) in the SubSig field. Seems IDS MC when importing filters, is not expecting the SubSig field. So when it imports the filter the entry in the SubSig field becomes the entry for the Source IP (everything gets shifted right one field) causing an error because there was data read after the expected end of the Destination IP field. I have a TAC Case open for this one also.

0 Helpful

rgloria
Cisco Employee
Cisco Employee

‎09-18-2003 12:31 PM

See if the filters have indeed been applied to the sensor by first ssh'ing to the sensor CLI and then:

qsensor-63# conf t

qsensor-63(config)# service al

qsensor-63(config)# service alarm-channel-configuration virtualAlarm

qsensor-63(config-acc)# tune

qsensor-63(config-acc-virtualAlarm)# Ev

qsensor-63(config-acc-virtualAlarm)# EventFilter

qsensor-63(config-acc-virtualAlarm-Eve)# sho set

EventFilter

-----------------------------------------------

version: 4.0

Filters (min: 0, max: 5000, current: 1)

-----------------------------------------------

DestAddrs: 10.20.2.3 default: *

Exception: True default: False

SIGID: 5167 default: *

SourceAddrs: 10.20.2.2 default: *

SubSig: 0 default: *

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

If they have not been applied, then send an example of the filter(s) you are attempting to apply.

jodr
Level 1
Level 1
In response to rgloria

‎03-18-2004 07:19 AM

A very late response, but to conclude this one, here is a resume of what has happened. There were two things :

1. Using the proper procedure for changing the sensor config via ids mc : you have to save first all changes into the database ; generate a new config for this sensor ; approve it ; deploy the new config on the specific sensor

2. But even on using the proper procedure, sometimes the deployment fails due to the fact that the sensor is not ready/is too busy for deploying a new config. So the thing is to wait until the sensor has not much to do. And it has nothing to do with the CPU that is overloaded, because this problem is already happening at less than 20% usage. Even with our high capacity idsm-2 blades we have this problem.

Thanks and best regards,

Johan Derycke.

0 Helpful
Customers Also Viewed These Support Documents