Enterasys Intrusion Prevention System Manual page 202

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
DRAGON_FILTER
A-8 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/DragonFilter
NSC/SC/C/DragonFilter/event
NSC/SC/C/DragonFilter/filter
Description
To reduce false positives, this statement can be
used to eliminate events based on a combination
of source and destination IP addresses, the IP
protocol and the source and destination TCP/
UDP ports or ICMP type.
Internal event names are defined as event
names that are the same as the dragon.net
keyword. For example, if there is an
administration computer that continually uses
SSH to login to other computers, then a filter can
be placed on the SSH signatures to ignore that
event when the administration machine is
involved.
The exact name of the event to be filtered must
be specified. Filter rules can be created using the
following keywords and operators:
Variable: Example: Description
• host: host 10.100.100.10: This will match Src IP
and Dst IP.
• srchost: srchost 10.100.100.1:This will only match
the Src IP.
• dsthost: dsthost 10.100.100.205: This will only
match the Dst IP.
• port: port 1234: This will both Src or Dst ports.
• srcport: srcport 80: This will only match on the Src
port.
• dstport: dstport 6000: This will only match on the
Dst port.
• net: net 10.100.100.0/24: This will match on the
specified CIDR block.
• srcnet: srcnet 10.100.100.0/24: This will only
match against the source IP.
• dstnet: dstnet 10.100.100.0/24: This will only
match against the destination IP.
• tcp: tcp: This will match the TCP protocol.
• udp: udp: This will match the UDP protocol.
• icmp: icmp: This will match the ICMP protocol.