Event Action Filters; About Event Action Filters - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 6 Configuring Event Action Rules
To log packets for overrides:
Step 5
a.
b.
c.
Step 6 To write alerts to the Event Store:
a.
b.
c.
Step 7 Exit event action rules submode:
sensor(config-rul-ove)# exit
sensor(config-rul)#
Apply Changes:?[yes]:
Press Enter to apply your changes or type
Step 8

Event Action Filters

This section describes event action filters, and contains the following topics:
•
•

About Event Action Filters

Event action filters are processed as an ordered list and you can move filters up or down in the list.
Filters let the sensor perform certain actions in response to the event without requiring the sensor to
perform all actions or remove the entire event. Filters work by removing actions from an event. A filter
that removes all actions from an event effectively consumes the event.
78-16527-01
To log the packets from the attacker IP address:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides log-attacker-packets
To log the packets from the victim IP address:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides log-victim-packets
To log packets from both the attacker and victim IP addresses:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides log-pair-packets
To write an alert to the Event Store:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides produce-alert
To write verbose alerts to the Event Store:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides produce-verbose-alert
To write events that request an SNMP trap to the Event Store:
sensor(config-rul-ove)# exit
sensor(config-rul)# overrides request-snmp-trap
About Event Action Filters, page 6-9
Configuring Event Action Filters, page 6-10
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
to discard them.
no
Event Action Filters
6-9