Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

RecordOfExcludedPattern -- How can I add a destination port?

I want to ignore a specifc signature but only when the destination port is X -- can I do that within SigSettings.conf? Specifically its signature 1104.

Yes, yes you shouldnt have to do this, but in this environment I do.



New Member

Re: RecordOfExcludedPattern -- How can I add a destination port?

RecordOfExcludedPattern does not support this functionality. It only filters on IP addresses which doesn't help with signature 1104.

Cisco Employee

Re: RecordOfExcludedPattern -- How can I add a destination port?

The 1104 signature isn't currently written with a signature engine so it's tunings are limited to the severity level, action, and the normal exclusions with RecordOfExcludedPattern.

NOTE: Some the engines do have parameters for ports. If the signature was written using one of those engines then you could maybe tune by port. But even then you would have to specify all of the other 65000 ports instead of tuning out that one.

RecordOffExcludedPattern unfortunately does not support excluding by port. It only allows excluding by signature, subsignature, source address, and destination address combinations.

As a workaround: Is the signature firing for only particular destination addresses?

If so then maybe you could exclude those destination addresses for the 1104??

If it fires for all or most of your addresses then it won't work very well of course.

I would call the TAC and request that they enter an enhancement request to have RecordOfExcludedPattern extended to include both source and destination ports for these types of situations.

CreatePlease to create content