Signature Event Action Processor - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Signature Event Action Processor

Signature Event Action Processor
SEAP coordinates the data flow from the signature event in the alarm channel to processing through the
SEAO, the SEAF, and the SEAH. It consists of the following components:
•
•
•
•
Figure 6-1 on page 6-3
operations performed on the action for this event. It starts with the signature event with configured action
received in the alarm channel and flows top-to-bottom as the signature event passes through the
functional components of the SEAP.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
6-2
Alarm channel
The unit that represents the area to communicate signature events from the Sensor App inspection
path to signature event handling.
Signature event action override (SEAO)
Adds actions based on the RR value. SEAO applies to all signatures that fall into the range of the
configured RR threshold. Each SEAO is independent and has a separate configuration value for each
action type. For more information, see
Signature event action filter (SEAF)
Subtracts actions based on the signature event's SIGID, addresses, and RR. The input to the SEAF
is the signature event with actions possibly added by the SEAO.
Note The SEAF can only subtract actions, it cannot add new actions.
The following parameters apply to the SEAF:
– Signature ID
Subsignature ID
–
Attacker address
–
Attacker port
–
Victim address
–
Victim port
–
RR threshold range
–
Actions to subtract
–
Sequence identifier (optional)
–
Stop-or-continue bit
–
Enable action filter line bit
–
Signature event action handler (SEAH)
Performs the requested actions. The output from the SEAH is the actions being performed and
possibly an evIdsAlert written to the Event Store.
illustrates the logical flow of the signature event through the SEAP and the
Chapter 6
Calculating the Risk Rating, page
Configuring Event Action Rules
6-6.
78-16527-01