Filtering Event from IP Address or Range

There may be times when legitimate traffic on your network causes an event to trigger. In these cases you want to filter out that traffic while still having the sensor use the event. Event filters work after the IDS processes packets and detects an event. When the IDS generates an event, the sensor determines if the event matches an event filter. If the event matches a filter, then the sensor discards the event.'You can use the following filter criteria:.Source IP address or range of addresses .Destination IP address or range of addresses .Source service and port .Destination service and port .Event name NOTE! Be very careful when setting up Filters, by default if you add a filter but do not configure it, the filter will apply to all events with the to and from address and port range any/any. This will filter all traffic and essentially disable the sensor

Adding an Event Filter

Use this procedure to add event filters to a network sensor policy.

Note: Filters are available only for network sensors-not OS sensors or server sensors.

To add an event filter:

1. From the Managed Assets window, select a network sensor.

2. From the Sensor menu, select Policies.

   The Sensor Policies window appears.

3. Select the policy to which you want to add an event filter.

   Note: If this policy does not exist, you must import it or derive it.

4. Click Customize.

   The Policy Editor window appears.

5. In the Event Filters tab, click Add.

   The Enter a name window appears.

6. Type the name of this event filter, and then click OK.

7. Configure the event filter as follows:

   If you want to...	Then...
   Configure a specific source address or range of addresses	Click in the Src Address column for that filter; then, type the address information in the Choose Address window.
   Change the source service/type for the event	Click in the Src Service/Type column to specify the source service or type for this protocol.
   Configure a specific destination address or range of addresses	Click in the Dest Address column for that filter, and then type the address information in the Choose Address window.
   Change the destination service/code for the event	Click in the Dest Service/Code column to specify destination service or code for this protocol.
   Configure the event name	Click in the Event Name column and select the name of the event to filter. Note: If you do not select an event name, the filter will apply to all events in the policy.

8. From the File menu, select Save.
   A confirmation message appears.

9. Click OK.

10. From the File menu, select Close.

11. You must apply the Policy to the sensor.