IPS - Event Action Filters. Which alerts do you supress
Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.
The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.
For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.
Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.
Thanks in advance,
Matt
I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...
Think about how many places you'd have to make a change in order to effectively tune out what your after.
Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.
Similar Messages
-
How many event actions filters a cisco ips can support
we are running cisco ips 7.0(2) E4, and we are planning to tune some of the traffic everyday.......any idea how many event action filters can be applied to a sensor or is there is any maximum limit on the number of filters?
There is no limit to how many event action filters you can configure. I assume that you also know that event action filters is ordered list:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2033432
Also, found this bug FYI: bugID: CSCtf78755:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf78755
(When over 495 event action filters are configured via CLI, it's corrupting "rules0.xml" file)
Hope that answers your question. -
Issue with applying Event Action filters
Dear friends,
A general question on Event Action filters. There is a signature with sig ID 6257.
The following is the event action filter configuration:
service event-action-rules rules0
filters edit DHCP
signature-id-range 6257
subsignature-id-range 0
attacker-address-range 172.20.20.10,172.20.20.11
actions-to-remove produce-alert
filter-item-status Enabled
stop-on-match True
os-relevance not-relevant
exit
Even though a valid DHCP offer is being given by the DHCP server, this alert is getting fired.
We have even excluded the IP's of the DHCP Servers - 172.20.20.10 and 172.20.20.11 from the Attacker Address range parameter in the signature but still this alert gets fired.
evIdsAlert: eventId=1204853641442197329 vendor=Cisco severity=low
originator:
hostId: IDSM2Core1
appName: sensorApp
appInstanceId: 592
time: April 7, 2008 5:46:48 AM UTC offset=180 timeZone=1
signature: description=DHCP Client DoS id=6257 version=S316
subsigId: 0
sigDetails: Server Offered a Malicious IP Address
marsCategory: DoS/Host
interfaceGroup: vs0
vlan: 200
participants:
attacker:
addr: 172.20.20.10 locality=OUT
port: 0
target:
addr: 10.1.1.78 locality=OUT
port: 0
os: idSource=unknown type=unknown relevance=unknown
summary: 4 final=true initialAlert=1204853641442197267 summaryType=Regular
alertDetails: Regular Summary: 4 events this interval ;
riskRatingValue: 25 targetValueRating=medium
threatRatingValue: 25
interface: ge0_7
protocol: udp
Looking forward to your kind help and advise on this.
Thanks a lot
GautamSome things to check:
1) Is the filter in the active list? Filters can be enabled or disabled, but they can also be active ro inactive. You've only show a part of your configuration so I can't tell if the filter is part of the active list.
2) Are there actions other than produce-alert for the signature? Or is an event action override adding other actions?
Produce-alert is not the only action that can cause an alert to be generated. The produce-verbose-alert, request-snmp-trap, log-attacker-packets, log-victim-packet, and log-pair-packets will also cause alerts to be generated. Modify the filter to also remove these actions.
3) The alert you've shown is a Summary Alert. There may be an issue with Summarization and the Filters. Try modifying the signature to set it to FireAll with no summarization.
4) If you have multiple filters then check the order of the filters. If the event is matching an earlier filter where the stop-on-match is set to True, then it will not check the event against this filter. Either move this filter up higher in the filter list, or change earlier filters to be "stop-on-match false".
5) Also check to see if you are running the latest 5.1(7) or 6.0(4) Service pack. If running earlier 5.1 or 6.0 versions you might be hitting a bug that could have already been fixed.
If none of the above help, then contact the TAC. It could be that you may have foung a bug that the sensor development team is unaware of.
To help in identifying the problem take a packet capture of the packets from 172.20.20.10 for several minutes around the time when the sensor is generating these alerts.
This way the team can both check if the signature is firing correctly, and if the filters are working correctly for that signature. -
Event Action Filters (difference between column Active & Enabled?)
I have a IPS4260, running v6.0(3).
Under "Configuration" > "Event Action Rules" > "Event Action Filter".
What is the difference between column "Active" and "Enabled"? This is confusing.Event action filters are evaluated in a specified order. Active means that a filter participates in the order. Enabled means that it can perform a filtering action. Use Disable when you want to preserve the order, but not perform the action (e.g. if you want to turn it off for debugging, but want to keep it's place in the list later). Use Inactive when you don't want the filter in the ordering at all (e.g. if you want to keep it as a reminder, but don't plan to use it again). The filter list is displayed by CLI and IDM in logical order - first all of the Active filters in their specified order, and then all of the Inactive filters. I don't think the designers really intended to have 2 similar options; it is more a side effect of the data model used for storing the configuration.
-
IPS Event Action Filter is not working properly.
Hi,
We have a local syslog server which listens on UDP 514 port. As many UDP frames has been cut I've done some investigation and found dropped packets (action requested by IPS). This was 1206.0 signature which is "IP Fragmant Too Small". I have created a new entry in IPS Policies to filter this out, but it didn't help. As a test I have disabled the signature completly and all frames have been delivered fine. Another thing I've tried was bringing the new action filter to the top and enabled "Stop on Match" option. Still the same. The only one solution is to disable the signature, but we can't do it.
This is ASA-SSM-20 installed on ASA 5520 version 7.1(6)E4, mode: inline
Bug search tool didn't show any related bugs.
I have checked Database integrity and get "No errors found while performing database integrity checks.
My questions are:
1. What can cause an action to be ignored on IPS?
2. Is it worth to use "Repair Database" tool? If yes what is the impact.
3. Is it possible to check hit counts on each action filter?
Regards
MariuszHi All,
Filter settings below:
The filter works partially as I don't get alerts on the IPS itself.
Firewall LOG:
4 Feb 14 2014 15:33:22 39715 514 IPS requested to drop UDP packet from SOURCE_VLAN_NUMBER:/39715 to DESTINATION_VLAN_NUMBER:/514
IPS LOG (when enabled):
evIdsAlert: eventId=1352793300955167909 vendor=Cisco severity=low
originator:
hostId: SSM02
appName: sensorApp
appInstanceId: 1192
time: Feb 14, 2014 15:33:22 UTC offset=0 timeZone=GMT00:00
signature: description=IP Fragment Too Small id=1206 version=S212 type=anomaly created=20030801
subsigId: 0
sigDetails: Too many small IP fragments in datagram
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 172.x.x.x locality=OUT
port: 39715
target:
addr: x.x.x.x locality=OUT
port: 514
os: idSource=unknown type=unknown relevance=relevant
alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;
riskRatingValue: 50 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 50
interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1
protocol: udp
Our next step is to make a service policy exception on the firewall itself. We are also considering reloading the IPS device or at least the analysis engine.
Thanks for all your help so far. Any more suggestions are most welcome. I'll keep you up to date.
Regards
Mariusz -
AIP-SSM configured with event action "produce alert", but it drop packets
Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?
Try these links:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml -
I started to make my rules, so using variables instead of IP address or IP address ranges.
I use a variable in the "Events Action Filters", but I do not know whether you can use 2 variables. For example in the screen dump, here I would like to use 2 variables $ windows domain
Can I use 2 variables? It works fine with 1 variableHi Fadi,
Thanks for your reply.
I hope soon Cisco have to fix this bug.
Best regard
Rene -
Alert and second alert when you create new event
problem with alert and second alert when you create new event on calendar. but only in russian iphone language!
this problem starts iOS 7 up to the present time iOS 8.1.1. this problem has been seen on iPhone 4,iphone 4s,iphone 5, iphone 5s,iphone 6,iphone6+Settings>General>Reset> Reset all Content and Settings
standard fixing such bugs, but not in this time -
How to add an Event action filter when victim address is " na "?
Using VMS/IPS MC to add an event action filter. IPS MC requires an victim address in the event action filter, however the alert in Security Monitor has "<na>" as the victim address.
I tried "0.0.0.0 255.255.255.255", which caught the alerts that had victim addresses, but the alerts with victim address of <na> are still being reported.
The signatures are 3250 and 3251 (tcp hijacks).marcabal has posted a very good explanation for sig 3030 here:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9b49a%2F0#selected_message
It may also explain some of the other problems.
I would like to add that in any field usually means that the signature does not require anything in that field in order to fire, and therefore, it is truly "not applicable". In the referenced post, marcabl indicated that filters should be a little more controllable in version 5.1. However, we haven't upgraded from 5.0 yet so I couldn't confirm that. I would hope that regardless of whether the data is applicable to the signature or not, the sensor would gather and display the information in SecMon.
With 3030, it came down to a question of, "is this signature really helping us keep this network secure?" I pulled a lot of hair out over that signature. -
Greetings all. I'm having some difficulties implementing event filters for a 4215 running 5.0.4.
1. I've globally enabled verbose alerting via the CLI by doing
# service event-action-rules rules0
# overrides produce-verbose-alert
2. I want to filter 'TCP SYN Port Sweep' (3002 0) so it doesn't get logged to the idsEventStore. I've created the following single filter,
# service event-action-rules rules0
# filters insert foo begin
# signature-id 3002
# subsignature-id-range 0-10
# actions-to-remove produce-verbose-alert
# filter-item-status Enabled
# stop-on-match True
I save my changes and when running local scans I see the event still being logged but WITHOUT the triggerPacket info. OK, I edit the rule and change to
# actions-to-remove produce-alert
run scans again and the event appears in the idsEventStore WITH the triggerPacket.
It appears I have to create two identical filter rules, first one with
# actions-to-remove produce-verbose-alert
next one with,
# actions-to-remove produce-alert
in order to completely filter 'TCP SYN Port Sweep' from the idsEventStore and I don't see it. So my question to the group is,
How does one create a single event filter rule to drop verbose alerts? Note: I need to have produce-verbose-alert set globally for troubleshooting.
Thanks in advance for the assistance.When creating a filter you can specify multiple actions to remove. In IDM you hold down the control key to select each additional action. In IDM I think you put a "|" between each action you want to remove: "produceAlert|produceVerboseAlert".
You will need to use the one filter to remove All actions that produce any kind of alert.
So you need to remove the following actions at a minimum:
produceAlert
produceVerboseAlert
requestSnmpTrap
logAttackerPackets
logVictimPackets
logPairPackets
The last 5 actions above will force an alert to be produced Even if produceAlert has been filtered out. So you have to remove them as well. This is sort of stated in the IDM guide:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmevtrul.htm#wp1062278
But was not made clear in the CLI guide.
If you want to prevent all the actions (including those that don't produce an alert) then enter every action in the actions to remove section.
(NOTE: This is much easier to do in IDM. You select the top action, Hold down Shift key, and select the last action, and all the actions will be selected for removal).
It sounds like you are not interested in the 3002 signature at all. If this is the case, then the simplest thing to do is to just Disable the signature, and not worry about the filters.
The filters shoudl really only be used if you want to filter for specific address ranges, or want to filter out some but not all of the actions.
If you want to filter out All actions for All ip addresses, then just Disable the signature instead.
It will save on internal processing within the sensor. -
How to get the table Event action in the controller???
HI
Based on my requirement i have extended my controller,but i want to perform some validation like ,,,,
i have table in one region ,in which one column is having a Button (flex field) action with image,
i want to write the code in the controller according to the validation ,,,,but i am unable to find the event action in the main controller,
how to get the event action ?,,,,, of the item type as image
thanks in advance
KashIf not you can use image component with clientListener and serverListener to preform your requirement set clientListener click event and then inside clientListener java script method call the
serverListener then will execute serverListener method. -
Customizable Email Filters w/ Alerts - App Failure!
Does this make the iPhone almost useless to anyone else? I would expect after the amount of time that the iPhone has been out that the developers would have added some sort of feature to create custom alerts for emails using filters.
I work for a large corporation and use my phone as a pager to wake me up when I get certain emails or pages.
I recently purchased an iPhone to use as my work phone only to find that there is no way to do this other than an app like MailTones which requires that you forward your emails through their server which I do not feel comfortable doing. This should be a built in feature!
Does anyone know if this is going to be added, or if it is even being considered for the future?You are correct that I should have checked into it a bit more and there are various ways around it that I can use such as setting alerts to all of the messages in my inbox to wake me up but that will wake me more than I would like.
There are others in our company using their iPhone as their work phone/pager and it works for them but I guess our group is more attentive to some of the alerts we get. If I wait long enough, these alerts can turn into a real problem and I will get a call from our Network Operations Center. I would simply like to avoid the NOC ever knowing that there is an issue. We like to fix things before they impact users.
I for for a major news company. We support the application layer of functionality that is behind everything that gets videos, stories, content, etc... to the public and onto the web or TV.
We have automated monitoring systems that send us alerts which we filter prior to getting them on the iPhone. So even being able to make one folder alert differently from another would be sufficient.
I'm sad to hear that we do not have any official apple support on this forum. I was in hopes of hearing from a developer or someone of the like...
Don't get me wrong, I love the iPhone. I have a Pre as my personal phone and I love them both but it just seems that they would have added this feature by now. Also being able to mark all messages as read seems like a elementary feature that should be included. -
Hello
There's a page which contains the following 3 components: Input textfield, Button, Tree
I made the following settings of them:
I set the "event action" at the tree node, and so did I at the button properties.
When I click on the button, the action runs and set the value of the Input textfield:
�this.i_textField1.setValue("something");� - the Input textfield display it as it should.
When I click on the tree node and the event action runs (it can be tracked in debug mode) which runs �this.i_textField1.setValue('something');�, but the textfield doesn't display it.
Any suggestions?
ThanksThe root problem is that the tree node component always behaves as though it had an immediate property set to "true". You'll get the same behavior from button or hyperlink or any other action component is you set immediate="true". The text field submitted values are not cleared, and so the text field redisplays them instead of the value that is set in code or obtained by evaluating the binding on the session bean.
There is a work-around. There is a page bean method, erase(), which will clear all submitted values. Call this before you set the new values, e.g.:
public String treeNode1_action() {
this.erase();
textField2.setValue("Tree Node");
staticText2.setValue("Tree Node");
getSessionBean1().setTemp("Tree Node");
return null;
[/code
// Gregory -
Upgrading from CC to CC 2014 without losing Actions & Filters
I'd like to upgrade from CC 14.2.1 (64 bit) to CC 2014, but I can't afford to lose my Actions & Filters since I spent 18 months creating and installing. I don't mind moving them, but I need to know where they are and where to move them to. Or anything else that helps me upgrade without losing them all.
I strongly recommend you save your actions in .atn files and keep the files in a safe place. Do this by clicking on the actions set name, then clicking the icon at the upper-right of the Actions panel and choosing Save Actions. This protects you from the loss of information from Photoshop preferences (which should not happen, but it's always good to be safe).
If the installation process somehow does not automatically copy your actions to the new version when it is installed, you can always load them from the .atn files yourself.
Regarding what you're calling Filters, I'm assuming you're referring to 3rd party plug-ins. Since Photoshop CC 2014 is a completely separate and new application, you'll simply have to reinstall them into the new version. I recommend not trying to copy them from one version to the other, though that can be done in a pinch - you just have to be sure you get all the related files together (some of which may not be under the Plug-ins subfolder).
Keep in mind that if you don't uninstall Photoshop CC 14.2.1 (and I recommend you don't), you can continue to use it in a pinch, until you get Photoshop CC 2014 fully set up and are confident in it. As I mentioned, Photoshop CC 2014 is a completely separate install.
-Noel -
Extended events /actions definitions
One of the shortcomings I seem to keep stumbling across is that event action definitions are no where to be found. I've been searching for weeks and can't find a resource from Microsoft which helps me understand the official definition for an action.
Has someone here found that resource or know where it is?If you are talking about the descriptions of what they collect, then indeed the DMVs are the best place at hand currently still.
Example query:
-- XE Actions
SELECT dm_xe_packages.name AS package_name,
dm_xe_objects.name AS source_name,
dm_xe_objects.description
FROM sys.dm_xe_objects AS dm_xe_objects
INNER JOIN sys.dm_xe_packages AS dm_xe_packages
ON dm_xe_objects.package_guid = dm_xe_packages.guid
WHERE
(dm_xe_packages.capabilities IS NULL OR dm_xe_packages.capabilities & 1 = 0)
AND (dm_xe_objects.capabilities IS NULL OR dm_xe_objects.capabilities & 1 = 0)
AND dm_xe_objects.object_type = 'action'
If you want to undestand the Extended Events Architecture more deeply I can recommend this article by Jonathan Kehayias:
Using SQL Server 2008 Extended Events
Andreas Wolter (Blog |
Twitter)
MCSM: Microsoft Certified Solutions Master Data Platform, MCM, MVP
www.SarpedonQualityLab.com |
www.SQL-Server-Master-Class.com
Maybe you are looking for
-
AE and closed network...deactivated my AE and won't hard or factory reset
Hi there. Simply set my AE to a closed network, but didn't get a chance to set name and password before AE shut down. Now I can't gain green light by unplugging and replugging, soft, hard or factory reset. Ugh! I can't locate AE on Airport Utility 1)
-
Error message when attempting to use scanner Canon model MP610
Error message when attempting to use scanner Canon model MP610, any one have any fixes, suggestions?
-
Tool/Menu bar icons not active - Acrobat in BROWSER
I have installed the SP1 update of windows 7. I have the latest version of Acrobat 10. I also have the latest version EXPLORER (9) & FIRE FOX (4). The PDF file comes into the BROWSER & the Acrobat icons (print, save) show up on the tool/menu bar bu
-
ITunes crashes syncing due to album artwork!
Hi everybody, I have an 120GB iPod and iTunes 10.2.2.12. There are certain songs that makes iTunes crash while syncing. The workaround is just to delete the artwork of the song. The big annoying thing is that I have to stare at iTunes and wait for th
-
Tabbed Panels displaying all content in first panel
I'm trying to add a tabbed panels widget to my site but when it displays in browsers, the content from all of the tabs displays as a list in the first tab, and clicking the rest of the tabs does nothing. I just put the out-of-the-box widget onto my