How did you modify the IPS Attack Response in the first place, what did you edit?
You can say "not [IPS signature name]" in the audit filter so that you don't alert on that specific IPS signature name any longer. You will still block it, etc., but won't email about it.
Hi sliedl, what I did with the IPS Attack Response was modifying the Attack Response Alert, and added a new one that sends me an email on any occurrence.
Now I understand what should I do. I have to create a New Audit Filter to log All the IPS Attack response and exclude there the ips signature that i want not to be logged. Then I have to use that filter in a new IPS Attack Response.
I was trying to create the filter using the audit viewing console, and I'm getting a validation error in the filter. I've tried this combinations and others using ', ", , etc; and they did not work. Can you help me creating the filter?
- category AUDIT_C_IPS and not ips_signame FRONTPAGE.VTI-CNF-ACCESS.WEB.SUSPECT
- category AUDIT_C_IPS and not ips_sid 20054928
It doesn't look like you can use the 'ips_signame' or 'ips_sid' acat filters at version 7, they do not work. I will file an engineering request about this.
These filters work at version 8. That does not help you, but just an FYI.
i thought that......
Do you know another way to solve my issue??
Thanks for your replies
No I don't, sorry.
You could change the 'Discovery - POLICY' Class Type response to 'Drop no Audit' in the Response Mappings tab of the IPS section of the GUI. That would drop ALL Discovery-POLICY type IPS attacks and not audit them. Then you will not get emails/alerts for this IPS attack any longer but you will still deny/drop it.
Yes, we did it in the past, but the main problem with this solution is that we won´t be logging a lot of other signatures, and maybe we will be blocking some traffic and will not be noticed about that.
Very true, very true.