Guest

Cisco Intrusion Prevention System

Tune the IPS for False Positive Prevention Using Event Action Filter

Cisco - Tune the IPS for False Positive Prevention Using Event Action Filter

Document ID: 113575

Updated: Jul 06, 2012

Contributed by Aastha Chaudhary, Cisco TAC Engineer.

   Print

Introduction

This document provides the steps required in order to tune the Intrusion Prevention System (IPS) for False Positive Prevention using IPS Device Manager (IDM) or IPS Manager Express (IME). False positive tuning on IPS is achieved by a feature called Event Action Filter (EAF).

Before You Begin

Requirements

Readers of this document should have knowledge of the Cisco IPS.

Components Used

The information in this document is not based on specific hardware and software versions.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Understanding EAFs

EAFs are configured primarily for false positive tuning. EAF provides the ability to have a particular signature not take desired actions for a subset of traffic.

EAFs are useful in situations where it is required to satisfy multiple conditions, such as:

  • Signature x does not take actions y for a desired subnet of traffic.

  • Signature x takes actions y for all other traffic.

EAFs are useful in dealing with the benign triggering of a signature.

Configuration

Example: False Positive Event: Signature 1300 triggers for traffic coming from and to known trusted hosts.

Note: This is just an example for demonstration purposes only. If you are unsure whether a particular event due to signature trigger is benign or not, contact Cisco Technical Support for further analysis.

Note: Refer to Cisco Intrusion Prevention System Signatures for additional information regarding IPS signatures.

Complete these steps:

  1. Check the default actions for the signature (1300, in this example) for which EAF needs to be configured.

    tune-ips-eaf-01.gif

    The default actions of signature 1300 include Produce Alert and Deny Connection Inline.

  2. Identify the hosts for which this signature should not fire. For example, you do not want the signature to fire for traffic coming from a trusted subnet, such as 10.1.1.1-10.1.1.254.

  3. Create an EAF for the criteria described in Step 2:

    1. From IDM/IME, go to Configuration > Policies > IPS Policies. Click the Event Action Filters tab. Under this tab, click Add.

      tune-ips-eaf-02.gif

      This window is displayed:

      tune-ips-eaf-03.gif

    2. Configure the various fields such as Name, Signature ID, Attacker IP, etc.

      tune-ips-eaf-04.gif

    3. Click the icon to the right of the Actions to Subtract field in order to open the Edit Actions dialogue box.

      tune-ips-eaf-05.gif

      In this window, you can specify the Signature actions you do not want the IPS to execute.

      Note: In order to correctly select signature actions you want to subtract, you need to understand the default signatures actions as described in Step 1.

      In this example, we chose Produce Alert and Deny Connection Inline.

      tune-ips-eaf-06.gif

      IPS will not take these actions if the 1300 signature triggers for traffic coming from 10.1.1.1-10.1.1.254.

      For all other traffic, the default signature action of Produce Alert and Deny Connection Inline will still apply.

      After you choose Produce Alert and Deny Packet Inline, you will see these actions populate at the bottom of the EAF screen:

      tune-ips-eaf-07.gif

    4. Click OK, and then Apply in order to save the changes.

      tune-ips-eaf-08.gif

For configuration of Event Action Filter using CLI, refer to the IPS Command Line Interface section on the Configuration Guides page. From the appropriate Configuration Guide, click Configuring Event Action Rules, and search for "Configuring Event Action Filters".

Related Information

Updated: Jul 06, 2012
Document ID: 113575