Cisco ROUTER-SDM-CD User Manual page 660

Edit IPS
Event Counter
Alert Frequency
Cisco Router and Security Device Manager 2.5 User's Guide
27-48
The Engine box contains fields that allow you to tune a wide variety of signature
parameters. For example, you can specify the action to be taken if this signature
is matched and an event is generated, you can specify the layer 4 protocol to
inspect for events matching this signature, and you can specify IP parameters,
such as header length and type of service.
The controls in the Event Counter box allow you to specify the parameters
described in the following sections.
Event Count
The number of times an event must occur before an alert is generated.
Event Count Key
The type of information to use to count an event as occurring. For example, if you
choose both attacker and victim addresses and ports, each time you have these
4 pieces of information for an event, the count increments by 1. If you choose
attacker address, only that piece of information is needed.
Event Interval
The number of seconds between events being sent to the log. If you select Yes, an
additional field is displayed allowing you to enter the number of seconds.
The purpose of the alert frequency parameter is to reduce the volume of the alerts
written to the log,
Summary Mode
There are four modes: Fire All, Fire Once, Summarize, and Global Summarize.
The summary mode is changed dynamically to adapt to the current alert volume.
For example, you can configure the signature to Fire All, but after a certain
threshold is reached, it starts summarizing.
Chapter 27 Cisco IOS IPS
OL-4015-12