IBM Support

Configuring a sensor to ignore or allow traffic from certain IP addresses

Question & Answer


Question

How can you configure a network or host-based sensor to ignore or allow traffic from certain internal hosts without creating firewall rules?

Answer

 
For ignoring and/or allowing specific traffic on GXs and XGS versions:
Users can use the pam.report.filter* advanced tuning parameter to configure a sensor to ignore traffic or events from certain IP addresses. All traffic or events that meet the specified criteria are ignored. Users can add this parameter to the tuning parameters policy in the following contexts:


Filtering IPS events by IP Address (source or destination)

Example Scenario: We have a scanner that is located at 192.168.0.1 that routinely generates many security events during audit scans. Because we know that these events are benign, we do not want our IPS using the extra system resources to process the events. We also do not want to use our SiteProtector database to store all of this unnecessary security event data. We can filter this traffic at the inspection engine level by using the following tuning parameter:

Name: pam.report.filterall
Value: ip addr 192.168.0.1

There are many different ways the Value field can be completed depending on your needs. Here are some examples of different ways to filter that uses the pam.report.filterall parameter:
 
To filter events by Value String example
Single IP (Source or Destination) ip addr 192.168.0.1
Single Source IP Address ip intruder addr 192.168.0.1
Single Destination IP Address ip victim addr 192.168.0.2
All events from/to a Subnet (Using CIDR notation) ip addr 192.168.0.0/24
All traffic from/to a range of Addresses ip addr 192.168.0.1-192.168.0.20
By defining both intruder and victim IP Addresses ip intruder addr 10.0.0.0/8 victim addr 192.168.0.0/16
Notes:
  • To add multiple values, separate them using a comma (with no space).
  • For IPv6 addresses, be sure to start the Value String with "ipv6" and not "ip". For example:
                Single IP (Source or Destination):   ipv6 addr 2001:odb8:85a3:0000:0000:8a2e:0370:7334

Filtering IPS events by specific Event ID and IP Address (source or destination)

Example Scenario: We use the RDP_Login audit event to monitor remote access on our admin VLAN. The common management system is 10.0.0.23. We do not want to see the RDP_Login events from this system. In order to filter IPS inspection for this signature that uses the 10.0.0.23 IP address, we first need to find the issueid for RDP_Login. There are two ways that this can be done. You can right-click the event in the Analysis view of the SiteProtector Console and select Open Event Details... or you can look at the PAM help file and find the event there. Both of these sources are considered to be authoritative and provides the issueid for the event that you are looking for. The issueid for RDP_Login is 3113009. Based on this example, we use the following tuning parameter to ignore the traffic:

Name: pam.report.filter.3113009
Value: ip addr 10.0.0.23

As with the filterall parameter, the filter parameter can use all of the Value variants listed in the previous table.

Using multiple filterall or filter Parameters

It is sometime necessary to add multiple instances of the aforementioned parameters depending on administrative need. For example, you might create one parameter to filter events generated by a vulnerability scanner and another to ignore events for a particular host.

You can add multiple instances of the parameter to filter more than one address entry by adding an index to the parameter name.

Example using multiple filterall parameters:

Name: pam.report.filterall.0
Value: ip addr 192.168.0.9

Name: pam.report.filterall.1
Value: ip addr 10.0.0.0/16

Example using multiple filter parameters:

Name: pam.report.filter.3113009.0
Value: ip addr 192.168.9.0/24

Name: pam.report.filter.3113009.1
Value: ip addr 10.10.8.130


For disabling PAM inspection for XGS versions 5.3.1.4 and up:

A Do Not Inspect (DNI) option has been added to the Network Access Policy (NAP) to allow an approve list of all traffic. See, XGS v5.3.2 release notes in technotes:

[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSETH9","label":"Proventia Network Multi-Function Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Historical Number

4559

Document Information

Modified date:
21 March 2022

UID

swg21436125