IPS - Event Action Filters. Which alerts do you supress

Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.
The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.
For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.
Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.
Thanks in advance,
Matt

I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...
Think about how many places you'd have to make a change in order to effectively tune out what your after.
Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.

Similar Messages

  • How many event actions filters a cisco ips can support

    we are running cisco ips 7.0(2) E4, and we are planning to tune some of the traffic everyday.......any idea how many event action filters can be applied to a sensor or is there is any maximum limit on the number of filters?

    There is no limit to how many event action filters you can configure. I assume that you also know that event action filters is ordered list:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2033432
    Also, found this bug FYI: bugID: CSCtf78755:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf78755
    (When over 495 event action filters are configured via CLI, it's corrupting "rules0.xml" file)
    Hope that answers your question.

  • Issue with applying Event Action filters

    Dear friends,
    A general question on Event Action filters. There is a signature with sig ID 6257.
    The following is the event action filter configuration:
    service event-action-rules rules0
    filters edit DHCP
    signature-id-range 6257
    subsignature-id-range 0
    attacker-address-range 172.20.20.10,172.20.20.11
    actions-to-remove produce-alert
    filter-item-status Enabled
    stop-on-match True
    os-relevance not-relevant
    exit
    Even though a valid DHCP offer is being given by the DHCP server, this alert is getting fired.
    We have even excluded the IP's of the DHCP Servers - 172.20.20.10 and 172.20.20.11 from the Attacker Address range parameter in the signature but still this alert gets fired.
    evIdsAlert: eventId=1204853641442197329 vendor=Cisco severity=low
    originator:
    hostId: IDSM2Core1
    appName: sensorApp
    appInstanceId: 592
    time: April 7, 2008 5:46:48 AM UTC offset=180 timeZone=1
    signature: description=DHCP Client DoS id=6257 version=S316
    subsigId: 0
    sigDetails: Server Offered a Malicious IP Address
    marsCategory: DoS/Host
    interfaceGroup: vs0
    vlan: 200
    participants:
    attacker:
    addr: 172.20.20.10 locality=OUT
    port: 0
    target:
    addr: 10.1.1.78 locality=OUT
    port: 0
    os: idSource=unknown type=unknown relevance=unknown
    summary: 4 final=true initialAlert=1204853641442197267 summaryType=Regular
    alertDetails: Regular Summary: 4 events this interval ;
    riskRatingValue: 25 targetValueRating=medium
    threatRatingValue: 25
    interface: ge0_7
    protocol: udp
    Looking forward to your kind help and advise on this.
    Thanks a lot
    Gautam

    Some things to check:
    1) Is the filter in the active list? Filters can be enabled or disabled, but they can also be active ro inactive. You've only show a part of your configuration so I can't tell if the filter is part of the active list.
    2) Are there actions other than produce-alert for the signature? Or is an event action override adding other actions?
    Produce-alert is not the only action that can cause an alert to be generated. The produce-verbose-alert, request-snmp-trap, log-attacker-packets, log-victim-packet, and log-pair-packets will also cause alerts to be generated. Modify the filter to also remove these actions.
    3) The alert you've shown is a Summary Alert. There may be an issue with Summarization and the Filters. Try modifying the signature to set it to FireAll with no summarization.
    4) If you have multiple filters then check the order of the filters. If the event is matching an earlier filter where the stop-on-match is set to True, then it will not check the event against this filter. Either move this filter up higher in the filter list, or change earlier filters to be "stop-on-match false".
    5) Also check to see if you are running the latest 5.1(7) or 6.0(4) Service pack. If running earlier 5.1 or 6.0 versions you might be hitting a bug that could have already been fixed.
    If none of the above help, then contact the TAC. It could be that you may have foung a bug that the sensor development team is unaware of.
    To help in identifying the problem take a packet capture of the packets from 172.20.20.10 for several minutes around the time when the sensor is generating these alerts.
    This way the team can both check if the signature is firing correctly, and if the filters are working correctly for that signature.

  • Event Action Filters (difference between column Active & Enabled?)

    I have a IPS4260, running v6.0(3).
    Under "Configuration" > "Event Action Rules" > "Event Action Filter".
    What is the difference between column "Active" and "Enabled"? This is confusing.

    Event action filters are evaluated in a specified order. Active means that a filter participates in the order. Enabled means that it can perform a filtering action. Use Disable when you want to preserve the order, but not perform the action (e.g. if you want to turn it off for debugging, but want to keep it's place in the list later). Use Inactive when you don't want the filter in the ordering at all (e.g. if you want to keep it as a reminder, but don't plan to use it again). The filter list is displayed by CLI and IDM in logical order - first all of the Active filters in their specified order, and then all of the Inactive filters. I don't think the designers really intended to have 2 similar options; it is more a side effect of the data model used for storing the configuration.

  • IPS Event Action Filter is not working properly.

    Hi,
    We have a local syslog server which listens on UDP 514 port. As many UDP frames has been cut I've done some investigation and found dropped packets (action requested by IPS). This was 1206.0 signature which is "IP Fragmant Too Small". I have created a new entry in IPS Policies to filter this out, but it didn't help. As a test I have disabled the signature completly and all frames have been delivered fine. Another thing I've tried was bringing the new action filter to the top and enabled "Stop on Match" option. Still the same. The only one solution is to disable the signature, but we can't do it.
    This is ASA-SSM-20 installed on ASA 5520 version 7.1(6)E4, mode: inline
    Bug search tool didn't show any related bugs.
    I have checked Database integrity and get "No errors found while performing database integrity checks.
    My questions are:
    1. What can cause an action to be ignored on IPS?
    2. Is it worth to use "Repair Database" tool? If yes what is the impact.
    3. Is it possible to check hit counts on each action filter?
    Regards
    Mariusz

    Hi All,
    Filter settings below:
    The filter works partially as I don't get alerts on the IPS itself.
    Firewall LOG:
    4          Feb 14 2014          15:33:22                              39715                    514          IPS requested to drop UDP packet from SOURCE_VLAN_NUMBER:/39715 to DESTINATION_VLAN_NUMBER:/514
    IPS LOG (when enabled):
    evIdsAlert: eventId=1352793300955167909  vendor=Cisco  severity=low 
      originator:  
        hostId: SSM02 
        appName: sensorApp 
        appInstanceId: 1192 
      time: Feb 14, 2014 15:33:22 UTC  offset=0  timeZone=GMT00:00 
      signature:   description=IP Fragment Too Small  id=1206  version=S212  type=anomaly  created=20030801 
        subsigId: 0 
        sigDetails: Too many small IP fragments in datagram 
      interfaceGroup: vs0 
      vlan: 0 
      participants:  
        attacker:  
          addr: 172.x.x.x  locality=OUT 
          port: 39715 
        target:  
          addr: x.x.x.x  locality=OUT 
          port: 514 
          os:   idSource=unknown  type=unknown  relevance=relevant 
      alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; 
      riskRatingValue: 50  targetValueRating=medium  attackRelevanceRating=relevant 
      threatRatingValue: 50 
      interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 
      protocol: udp 
    Our next step is to make a service policy exception on the firewall itself. We are also considering reloading the IPS device or at least the analysis engine.
    Thanks for all your help so far. Any more suggestions are most welcome. I'll keep you up to date.
    Regards
    Mariusz

  • AIP-SSM configured with event action "produce alert", but it drop packets

    Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?

    Try these links:
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

  • IPS Events Variables

    I started to make my rules, so using variables instead of IP address or IP address ranges.
    I use a variable in the "Events Action Filters", but I do not know whether you can use 2 variables. For example in the screen dump, here I would like to use 2 variables $ windows domain
    Can I use 2 variables? It works fine with 1 variable

    Hi Fadi,
    Thanks for your reply.
    I hope soon Cisco have to fix this bug.
    Best regard
    Rene

  • Alert and second alert when you create new event

    problem with alert and second alert when you create new event on calendar. but only in russian iphone language!
    this problem starts iOS 7 up to the present time iOS 8.1.1. this problem has been seen on iPhone 4,iphone 4s,iphone 5, iphone 5s,iphone 6,iphone6+

    Settings>General>Reset> Reset all Content and Settings
    standard fixing such bugs, but not in this time

  • How to add an Event action filter when victim address is " na "?

    Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.
    I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.
    The signatures are 3250 and 3251 (tcp hijacks).

    marcabal has posted a very good explanation for sig 3030 here:
    http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9b49a%2F0#selected_message
    It may also explain some of the other problems.
    I would like to add that in any field usually means that the signature does not require anything in that field in order to fire, and therefore, it is truly "not applicable". In the referenced post, marcabl indicated that filters should be a little more controllable in version 5.1. However, we haven't upgraded from 5.0 yet so I couldn't confirm that. I would hope that regardless of whether the data is applicable to the signature or not, the sensor would gather and display the information in SecMon.
    With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature.

  • Filtering verbose alerts

    Greetings all. I'm having some difficulties implementing event filters for a 4215 running 5.0.4.
    1. I've globally enabled verbose alerting via the CLI by doing
    # service event-action-rules rules0
    # overrides produce-verbose-alert
    2. I want to filter 'TCP SYN Port Sweep' (3002 0) so it doesn't get logged to the idsEventStore. I've created the following single filter,
    # service event-action-rules rules0
    # filters insert foo begin
    # signature-id 3002
    # subsignature-id-range 0-10
    # actions-to-remove produce-verbose-alert
    # filter-item-status Enabled
    # stop-on-match True
    I save my changes and when running local scans I see the event still being logged but WITHOUT the triggerPacket info. OK, I edit the rule and change to
    # actions-to-remove produce-alert
    run scans again and the event appears in the idsEventStore WITH the triggerPacket.
    It appears I have to create two identical filter rules, first one with
    # actions-to-remove produce-verbose-alert
    next one with,
    # actions-to-remove produce-alert
    in order to completely filter 'TCP SYN Port Sweep' from the idsEventStore and I don't see it. So my question to the group is,
    How does one create a single event filter rule to drop verbose alerts? Note: I need to have produce-verbose-alert set globally for troubleshooting.
    Thanks in advance for the assistance.

    When creating a filter you can specify multiple actions to remove. In IDM you hold down the control key to select each additional action. In IDM I think you put a "|" between each action you want to remove: "produceAlert|produceVerboseAlert".
    You will need to use the one filter to remove All actions that produce any kind of alert.
    So you need to remove the following actions at a minimum:
    produceAlert
    produceVerboseAlert
    requestSnmpTrap
    logAttackerPackets
    logVictimPackets
    logPairPackets
    The last 5 actions above will force an alert to be produced Even if produceAlert has been filtered out. So you have to remove them as well. This is sort of stated in the IDM guide:
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1062278
    But was not made clear in the CLI guide.
    If you want to prevent all the actions (including those that don't produce an alert) then enter every action in the actions to remove section.
    (NOTE: This is much easier to do in IDM. You select the top action, Hold down Shift key, and select the last action, and all the actions will be selected for removal).
    It sounds like you are not interested in the 3002 signature at all. If this is the case, then the simplest thing to do is to just Disable the signature, and not worry about the filters.
    The filters shoudl really only be used if you want to filter for specific address ranges, or want to filter out some but not all of the actions.
    If you want to filter out All actions for All ip addresses, then just Disable the signature instead.
    It will save on internal processing within the sensor.

  • How to get the table Event action in the controller???

    HI
    Based on my requirement i have extended my controller,but i want to perform some validation like ,,,,
    i have table in one region ,in which one column is having a Button (flex field) action with image,
    i want to write the code in the controller according to the validation ,,,,but i am unable to find the event action in the main controller,
    how to get the event action ?,,,,, of the item type as image
    thanks in advance
    Kash

    If not you can use image component with clientListener and serverListener to preform your requirement set clientListener click event and then inside clientListener java script method call the
    serverListener then will execute serverListener method.

  • Customizable Email Filters w/ Alerts - App Failure!

    Does this make the iPhone almost useless to anyone else? I would expect after the amount of time that the iPhone has been out that the developers would have added some sort of feature to create custom alerts for emails using filters.
    I work for a large corporation and use my phone as a pager to wake me up when I get certain emails or pages.
    I recently purchased an iPhone to use as my work phone only to find that there is no way to do this other than an app like MailTones which requires that you forward your emails through their server which I do not feel comfortable doing. This should be a built in feature!
    Does anyone know if this is going to be added, or if it is even being considered for the future?

    You are correct that I should have checked into it a bit more and there are various ways around it that I can use such as setting alerts to all of the messages in my inbox to wake me up but that will wake me more than I would like.
    There are others in our company using their iPhone as their work phone/pager and it works for them but I guess our group is more attentive to some of the alerts we get. If I wait long enough, these alerts can turn into a real problem and I will get a call from our Network Operations Center. I would simply like to avoid the NOC ever knowing that there is an issue. We like to fix things before they impact users.
    I for for a major news company. We support the application layer of functionality that is behind everything that gets videos, stories, content, etc... to the public and onto the web or TV.
    We have automated monitoring systems that send us alerts which we filter prior to getting them on the iPhone. So even being able to make one folder alert differently from another would be sufficient.
    I'm sad to hear that we do not have any official apple support on this forum. I was in hopes of hearing from a developer or someone of the like...
    Don't get me wrong, I love the iPhone. I have a Pre as my personal phone and I love them both but it just seems that they would have added this feature by now. Also being able to mark all messages as read seems like a elementary feature that should be included.

  • Tree component event action

    Hello
    There's a page which contains the following 3 components: Input textfield, Button, Tree
    I made the following settings of them:
    I set the "event action" at the tree node, and so did I at the button properties.
    When I click on the button, the action runs and set the value of the Input textfield:
    �this.i_textField1.setValue("something");� - the Input textfield display it as it should.
    When I click on the tree node and the event action runs (it can be tracked in debug mode) which runs �this.i_textField1.setValue('something');�, but the textfield doesn't display it.
    Any suggestions?
    Thanks

    The root problem is that the tree node component always behaves as though it had an immediate property set to "true". You'll get the same behavior from button or hyperlink or any other action component is you set immediate="true". The text field submitted values are not cleared, and so the text field redisplays them instead of the value that is set in code or obtained by evaluating the binding on the session bean.
    There is a work-around. There is a page bean method, erase(), which will clear all submitted values. Call this before you set the new values, e.g.:
        public String treeNode1_action() {
            this.erase();
         textField2.setValue("Tree Node");
            staticText2.setValue("Tree Node");
         getSessionBean1().setTemp("Tree Node");
            return null;
    [/code
    // Gregory                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  • Upgrading from CC to CC 2014 without losing Actions & Filters

    I'd like to upgrade from CC 14.2.1 (64 bit) to CC 2014, but I can't afford to lose my Actions & Filters since I spent 18 months creating and installing. I don't mind moving them, but I need to know where they are and where to move them to. Or anything else that helps me upgrade without losing them all.

    I strongly recommend you save your actions in .atn files and keep the files in a safe place.  Do this by clicking on the actions set name, then clicking the icon at the upper-right of the Actions panel and choosing Save Actions.  This protects you from the loss of information from Photoshop preferences (which should not happen, but it's always good to be safe).
    If the installation process somehow does not automatically copy your actions to the new version when it is installed, you can always load them from the .atn files yourself.
    Regarding what you're calling Filters, I'm assuming you're referring to 3rd party plug-ins.  Since Photoshop CC 2014 is a completely separate and new application, you'll simply have to reinstall them into the new version.  I recommend not trying to copy them from one version to the other, though that can be done in a pinch - you just have to be sure you get all the related files together (some of which may not be under the Plug-ins subfolder).
    Keep in mind that if you don't uninstall Photoshop CC 14.2.1 (and I recommend you don't), you can continue to use it in a pinch, until you get Photoshop CC 2014 fully set up and are confident in it.  As I mentioned, Photoshop CC 2014 is a completely separate install.
    -Noel

  • Extended events /actions definitions

    One of the shortcomings I seem to keep stumbling across is that event action definitions are no where to be found.  I've been searching for weeks and can't find a resource from Microsoft which helps me understand the official definition for an action.
    Has someone here found that resource or know where it is?

    If you are talking about the descriptions of what they collect, then indeed the DMVs are the best place at hand currently still.
    Example query:
    -- XE Actions
    SELECT dm_xe_packages.name AS package_name,
    dm_xe_objects.name AS source_name,
    dm_xe_objects.description
    FROM sys.dm_xe_objects AS dm_xe_objects
    INNER JOIN sys.dm_xe_packages AS dm_xe_packages
    ON dm_xe_objects.package_guid = dm_xe_packages.guid
    WHERE
    (dm_xe_packages.capabilities IS NULL OR dm_xe_packages.capabilities & 1 = 0)
    AND (dm_xe_objects.capabilities IS NULL OR dm_xe_objects.capabilities & 1 = 0)
    AND dm_xe_objects.object_type = 'action'
    If you want to undestand the Extended Events Architecture more deeply I can recommend this article by Jonathan Kehayias:
    Using SQL Server 2008 Extended Events
    Andreas Wolter (Blog |
    Twitter)
    MCSM: Microsoft Certified Solutions Master Data Platform, MCM, MVP
    www.SarpedonQualityLab.com |
    www.SQL-Server-Master-Class.com

Maybe you are looking for