As we could see so far, for every signature there could be one or more actions associated with it. Those actions are per signature, which means that action or actions associated with a signature will be executed for every attacker/victim combination. For instance, let’s go back to our custom signature. Every time anyone tries to get a CONFIDENTIAL.TXT file, an alarm would be generated. However, there could be a user or users which are entitled to get this file and we would not like to prevent them to do so, but we would like to prevent other users to get a file. If we create a custom signature like described in that article, then no exception will be made. This is where Event Action Filters get handy.
In order to modify our custom signature, we need to go to IPS Policies->Event Action Rules and select appropriate virtual sensor’s event action rules entry. In our case it’s once again “vlan4”. On the right hand side select Event Action Filters tab and click Add:
This is how the default settings for new filter look like:
The fields are as follows:
- Name – signature name in text form
- Enabled – self explanatory
- Signature ID – this is the ID of a signature that we would like to put a filter on
- Subsignature ID – this is obvious
- Attacker IPv4 Address – the IP address or range of addresses we would like to exclude. This is in the form of firstaddress-lastaddress
- Attacker IPv6 Address – same as previous field
- Attacker Port – this is TCP/UDP port at the attacker side. Most often we will not change this value.
- Victim IPv4 Address – the address of the target host (victim)
- Victim IPv6 Address – same as above
- Victim Port – the TCP/UDP port of the target (victim)
- Risk rating – the range of risk level in which we want to actions to subtract
- Actions to Subtract – this is where we choose what action we would like to remove from the list of actions we configured. By clicking here we have this dialog:
Now that we know what are the field meanings, we will do the following: we will prevent all users to access the file except for a user with the IP address of 10.0.0.1, which is the manager who needs to access this file:
And the actions we would like to subtract is the only one we have configured – Produce Alert:
After selecting Produce Alert, we click OK, OK again and then Apply.
We might want to move the newly created rule at the top of the list so we would have the following situation:
If we now try to retrieve the CONFIDENTIAL.TXT file, we should have an event generated by any IP address except of 10.0.0.1.