Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Howto: Change sev. level for one IP only on a sensor

I have a proxy server that is on the same subnet being monitored by a sensor.

Normal surfing by my users produces false positives on 3216 (IIS ../.. denial bug).

I would like to configure the sensor somehow so that when an alert is received with the proxy as the destination, the alarm is 'medium', but when an alert is received for any other possibility, the alarm is 'high'.

Can a sensor be configured to reduce the alarm severity for a particular destination?

4 REPLIES
Cisco Employee

Re: Howto: Change sev. level for one IP only on a sensor

Sorry,

The sensor can not change severity level based on ip address.

But there is a work around if you are using a sensor appliance.

Create a customer signature that looks for the exact same thing and set it's severity to Medium.

(If using CSPM do this through SigWizMenu, if using Unix DIrector then do this through nrConfigure's Custom SIgnature edit windows)

Now Exclude/Filter the proxy address from the original signature.

(If using CSPM do this through Simple or Advanced Filtering, if using Unix DIrector then do this through nrConfigure's filter window)

Now Exclude ALL IP addresses for the new Custom Signature and Include ONLY the proxy address.)

(If using CSPM do this through SigWizMenu wiht the option for address to signature mapping, if using Unix DIrector then do this through nrConfigure's filter window)

New Member

Re: Howto: Change sev. level for one IP only on a sensor

That's awesome..... there's obviously a reason why I didn't think of that :)

Cheers

New Member

Re: Howto: Change sev. level for one IP only on a sensor

The solution stated to this problem is fine if you're able to make the signature. Since the Cisco signatures cannot be viewed, you will have to look elsewhere for a signature and it's content matching.

Snort comes to mind....

3214-3216 is a great example. Just what is the difference signature wise between the IIS .. view, execute and denial signatures.

New Member

Re: Howto: Change sev. level for one IP only on a sensor

The signature 3216 is looking for a pattern ../.. Appending this at the front of an URL causes a crash in IIS 2.0 or prior versions.

The signature 3214 is looking for pattern /..\ which allows directory traversal in IIS 1.0.

116
Views
0
Helpful
4
Replies
CreatePlease login to create content