A few weeks ago I posted asking for documentation links on the IDS4210, I got some very useful links, thank you guys! I have a few more questions that the documentation just didn't make clear to me. How do event filters work? I get an event that I know is a false alert and I want to exclude it for the destination and source IPs I am seeing. I have an idea but I want to make sure.
If I apply a filter and set it with the SigID, DestIP, SourceIP, and exclusion set to no then thosealearts just won't trigger and won't be logged. If I do a filter and put a subSigID in and teh same settings as above then set exclusion those subSigs will be triggered, but not the others?
Is this correct? Is there a way to filter events out of the log based on SigID and Dest and Source IPs? Or do I have to clear the events and start over?
Are there any free tools that allow reporting from a Cisco IDS 4210 sensor and storage in a database?
And the last one, is there a way to delete a single (or group of) IP Logs?
I know this is a very old product, but for now we want to see if this works for us and maybe move on to a newer IDS or IPS solution.
Thanks in advance!