Using ACLs When Disabling Individual Signatures

Sep 15,2009 by alperen

You can use the ip audit signature command to apply ACLs to individual signatures to help filter out sources of false alarms. When attaching an ACL to a signature, then it’s also necessary to create an audit rule with the ip audit name command and to apply that named rule to an interface with the ip audit command.

In this example, the 1001 signature is disabled and signature 1004 has ACL 10 attached. As in the preceding example, the ACL doesn’t behave as you might initially assume. The hosts on the defined network aren’t filtered through the signature because they’re trusted hosts or, possibly, because they’re causing false positives to occur. All other hosts are defined by the permit any statement and are to be processed by the audit rule.

Rtr1(config)#ip audit signature 1001 disable
Rtr1(config)#ip audit signature 1004 list 10
Rtr1(config)#access-list 10 deny 192.168.45.0 0.0.0.255
Rtr1(config)#access-list 10 permit any

Related news

» Using ACLs with Named Audit Rules
by alperen posted on Sep 15,2009
» Creating an Audit Rule
by alperen posted on Sep 15,2009
» Create Named Audit Rules
by alperen posted on Sep 15,2009
» Disabling Individual Signatures
by alperen posted on Sep 15,2009
» The show ip audit all Command
by alperen posted on Sep 16,2009

Did you enjoy this article?

(total 0 votes)

Comments (0 posted)

More Top News

CCSP-Cisco Certified Security Professional