Results 1 to 2 of 2
  1. #1
    Newbie
    Join Date
    Dec 2018
    Posts
    1

    Default Events and IPS 14.1

    Hello-
    Wondering why. In old IPS we would disable a signature. We had lots of signatures customized the way we wanted. We would disable ones and they would no longer be picked up by the events action.

    I have an event made that watches the intrusionpreventionlogevent and send an email when certain conditions are met. Such as below:
    Captureevents.JPG

    In the new IPS we make a rule to disable events that are not interesting, however the events will still send an email even though the rule disables the signature.

    Captureipsrules.JPG

    I have confirmed in signatures that the action is disabled, I would assume this means logging and blocking etc-
    So how are events rules still acting on disabled IPS signatures by rule?

    (Yes I know the 2 images above don't actually match- but present the issue visually)

    Brad

  2. #2
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    133

    Default

    Its not clear from the rule snippit, but make sure the rules to disable signatures are added at the top of the Rules list.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2