Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
5
Helpful
3
Replies

How to add a filter to signiture?

cbergel
Level 1
Level 1

‎09-17-2003 11:22 PM - edited ‎03-09-2019 04:50 AM

A specific host allways attack to our network.This host is using DNS Server.We don't want this to be detected as an attack.How to add a filter to this signiture?

signiture id 4003 "Nmap UDP Port Sweep"

Labels:
0 Helpful
3 Replies 3

shawn.posthumus
Level 1
Level 1

‎09-18-2003 05:37 AM

Heres one way:

log into your sensor via ssh

sensor#conf t

sensor#service alarm-channel-configuration virtualAlarm

sensor#tune-alarm-channel

sensor#EventFilter

sensor#Filters DestAddrs Exception False SIGID 4003 SourceAddrs SubSig *

sensor#exit

sensor#exit

save changes when prompted.

cbergel
Level 1
Level 1
In response to shawn.posthumus

‎09-18-2003 08:41 PM

thank you very much.

0 Helpful

garyprice
Level 1
Level 1

‎09-18-2003 05:59 AM

are you using a network IDS sensor. Like a Cisco-K9-4235? If so I can detail the very simple process to filter "out" the source from detection from the signature 4003

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents