Populate Signature Filters to CSPM

ddinh · ‎09-10-2002

Hello All,

I used IDM to create some filters on a number of signature. I works great to filter out false positive alarms. How do I populate these filters to my CSPM? Any help will greatly be appreciated.

Thanks,

Damien Dinh

gfullage · ‎09-15-2002

Using IDM and CSPM to manage the one sensor is not a supported configuration, although generally should work. Be aware though that any changes you make via IDM are going to be erased the next time CSPM pushes out the config.

There's really no easy way to get these into CSPM other than delete the sensor out of your configuration, then add it back in with the Add Sensor Wizard, making sure to click the "Capture Sensor configuration" checkbox when you do so. CSPM should then go and get the configuration from teh sensor and copy it all in, including the filters.

As I said though, be careful when using IDM and CSPM on the one machine.

marcabal · ‎09-15-2002

A possible solution.

IDM will have created RecordOfExcludedPattern and possible RecordOfIncludedPattern tokens in packetd.conf.

Copy these entries and paste then into the Epilogue within CSPM for that sensor.

CSPM will then add these lines to the bottom of the CSPM created packetd.conf file.

It doesn't give you ability to modify them through CSPM's Filter Tab. Instead you will have to edit them directly in the Epilogue window.

Over time you can take one line at a time and see if you can create a CSPM equivelant filter in the CSPM Filter Tab.

SOme lines can not be supported by the CSPM Filter Tab and will have to remain in the Epilogue window.