Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HowTo: Exclude a single IP address from all signatures

I have a box that is used to run vulnerability scans throughout my network.

I would like to configure each sensor to ignore all traffic from this one IP address.

When I go to simple and advanced filtering under CSPM 2.3.3i, there does not appear to be a way to avoid having to specify multiple signatures when ignoring the host.

Manually editing the packetd.conf file there was a way to just exclude a network. I will go that route if the ability to do this through the CSPM interface is not possible.

If it's not possible.... future feature request :)

Cisco Employee

Re: HowTo: Exclude a single IP address from all signatures

This can be done on CSPM by entering the information in the Epilogue.

For each sensor, go to the Command tab and select Epilogue. Then in the window enter the following two lines were IP is substituted with the IP address that you want to exclude (Note: This is case sensitive):

RecordOfExcludedPattern * * IP *

RecordOfExcludedPattern * * * IP

After you have added these lines, select OK and Save.

Now it will add this to the end of the packetd.conf file when you select Generate command and select OK to send these changes to the sensor.

Cisco Employee

Re: HowTo: Exclude a single IP address from all signatures

Just so you know.

The Advanced Filter tab is used to configure the RecordOfExcludedPattern token, but does not provide all of the possible configurations that can be used with RecordOfExcludedPattern.

That is why you have to add it to the Epilogue, which appends the lines to packetd.conf.

For more information on the RecordOfExcludedPattern and it's format refer to: