About General Settings; Event Action Summarization; Event Action Aggregation - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 6 Configuring Event Action Rules

About General Settings

You can configure the general settings that apply to event action rules, such as whether you want to use
the summarizer and the meta event generator. The summarizer groups events into a single alert, thus
decreasing the number of alerts the sensor sends out. The meta event generator processes the component
events, which lets the sensor watch for suspicious activity transpiring over a series of events.
You can configure how long you want to deny attackers, the maximum number of denied attackers, and
how long you want blocks to last.

Event Action Summarization

Summarization decreases the volume of alerts sent out from the sensor by providing basic aggregation
of events into a single alert. Special parameters are specified for each signature and they influence the
handling of the alerts. Each signature is created with defaults that reflect a preferred normal behavior.
However, you can tune each signature to change this default behavior within the constraints for each
engine type.
The non-alert generating actions (deny, block, TCP reset) go through the filters for each signature event
unsummarized. The alert-generating actions are not performed on these summarized alerts; instead the
actions are applied to the one summary alert and then put through the filters.
If you select one of the other alert-generating actions and do not have it filtered out, the alert is created
even if you do not select Produce Alert. To prevent alerts from being created, you must have all
alert-generating actions filtered out.
Summarization and event actions are processed after Engine. META has processed the component
events. This lets the sensor watch for suspicious activity transpiring over a series of events.

Event Action Aggregation

Basic aggregation provides two operating modes. The simple mode involves configuring a threshold
number of hits for a signature that must be met before the alert is sent. A more advanced mode is
timed-interval counting. In this mode, the sensor tracks the number of hits per second and only sends
alerts when that threshold is met. In this example, a hit is a term used to describe an event, which is
basically an alert, but it is not sent out of the sensor as an alert until the threshold number of hits has
been exceeded.
You can select from the following summarization options:
•
•
78-16527-01
Fire All—Fire All mode fires an alert each time the signature is triggered. If the threshold is set for
summarization, the following happens: Alerts are fired for each execution until summarization
occurs. After summarization starts only one alert every summary interval fires for each address set.
Alerts for other address sets are either all seen or separately summarized. The signature reverts to
Fire All mode after a period of no alerts of that signature.
Summary—Summary mode fires an alert the first time a signature is triggered, and then additional
alerts for that signature are summarized for the duration of the summary interval. Only one alert
every summary interval should fire for each address set. If the global summary threshold is reached,
the signature goes into Global Summarization mode.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
General Settings
6-15