06-11-2002 11:37 AM - edited 03-08-2019 10:56 PM
I am getting a large amounts of IP Fragment alerts from one ip address. I have identified this as a false positive and want to filter these events. I have gone into the filter tab on the IDSM and filtered alter 1003 Ip Fragmentation from the source ip that is generating all the alters. I save and update and push the new config to the idsm without any problems, but I keep getting the alters. I also set the alert to LOW and it is still registering as high. Am I missing something? Thanks in advance.
06-17-2002 01:15 PM
Try setting the alert to Information. This categorizes the attack as not being relevant to security while Low categorizes the attack as mildly severe.
06-17-2002 02:19 PM
Are you using CSPM or Unix Director.
If you are using Unix Director you may be seeing old alerts.
Look in the /usr/nr/var directory on your director for an nrdirmap buffer file.
If there are too many alarms in OV then the extra wind up in this file.
When ever you start "ovw" it will read in these old buffered alarms.
You could be see old alarms from this buffer file.
06-24-2002 08:11 AM
OK, I figured it out. I have my CSPM set in a client/server configuration. I upgraded the CSPM on the server to CSPM-2.3.3i-S25 and did the signature update wizard on the server. However, I did not perform this on my client. When I pushed configs from my client I had to select ***S13 because I had not updated the signatures on my client. This also did not allow me to add filters or do any maintenance for that matter on any of my blades.
After installing CSPM-2.3.3i-S25 on my client and running signature wizard I was able to set filters with no issues. Thanks for your responses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide