How do you filter a particular event from an IP address or range?
There may be times when legitimate traffic on your network causes an event to trigger. In these cases you want to filter out that traffic while still having the sensor use the event. Event filters work after the IDS processes packets and detects an event. When the IDS generates an event, the sensor determines if the event matches an event filter. If the event matches a filter, then the sensor discards the event.'You can use the following filter criteria:.Source IP address or range of addresses .Destination IP address or range of addresses .Source service and port .Destination service and port .Event name NOTE! Be very careful when setting up Filters, by default if you add a filter but do not configure it, the filter will apply to all events with the to and from address and port range any/any. This will filter all traffic and essentially disable the sensor
Adding an Event Filter
Use this procedure to add event filters to a network sensor policy.
Note: Filters are available only for network sensors-not OS sensors or server sensors.
To add an event filter:
From the Managed Assets window, select a network sensor.
From the Sensor menu, select Policies.
The Sensor Policies window appears.
- Select the policy to which you want to add an event filter.
Note: If this policy does not exist, you must import it or derive it.
The Policy Editor window appears.
In the Event Filters tab, click Add.
The Enter a name window appears.
Type the name of this event filter, and then click OK.
Configure the event filter as follows:
If you want to...
Configure a specific source address or range of addresses Click in the Src Address column for that filter; then, type the address information in the Choose Address window.
Change the source service/type for the event
Click in the Src Service/Type column to specify the source service or type for this protocol.
Configure a specific destination address or range of addresses
Click in the Dest Address column for that filter, and then type the address information in the Choose Address window.
Change the destination service/code for the event
Click in the Dest Service/Code column to specify destination service or code for this protocol.
Configure the event name
Click in the Event Name column and select the name of the event to filter.
Note: If you do not select an event name, the filter will apply to all events in the policy.
From the File menu, select Save.
A confirmation message appears.
From the File menu, select Close.
- You must apply the Policy to the sensor.
If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.
RealSecure Network Sensor
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.