Chapter 27
Cisco IOS IPS
Discard Changes
Add or Edit an Event Action Override
Event Action
Enabled
Risk Rating
OL-4015-12
If you want to clear information that you have entered in the Event Action
Overrides window but have not sent to the router, click Discard Changes. The
Discard Changes button is disabled when there are no changes made that are
awaiting delivery to the router.
To add an event action override, choose the event action, enable or disable it, and
specify the
RR
range. If you are editing, you cannot change the event action.
Choose one of the following event actions:
Deny Attacker Inline—Does not transmit this packet and future packets from
•
the attacker address for a specified period of time (inline only).
Deny Connection Inline—Does not transmit this packet and future packets on
•
the TCP Flow (inline only)
Deny Packet Inline—Does not transmit this packet.
•
Produce Alert—Writes an <evIdsAlert> to the log.
•
Reset TCP Connection—Sends TCP resets to hijack and terminate the TCP
•
flow.
Click Yes to enable the event action override, or No to disable it. You can also
enable and disable event action overrides in the Event Action Override window.
Enter the lower bound of the RR range in the Min box, and the upper bound of the
range in the Max box. When the RR value of an event falls within the range that
you specify, Cisco IOS IPS adds the override specified by the Event Action. For
example, if Deny Connection Inline is assigned a RR range of 90-100, and an
event with an RR of 95 occurs, Cisco IOS IPS responds by denying the connection
inline.
Cisco Router and Security Device Manager 2.5 User's Guide
Edit IPS
27-31