Event Action Rules Example - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 6 Configuring Event Action Rules
The statistics have all been cleared except for the
exec Clear commands during uptime

Event Action Rules Example

The following example demonstrates how the individual components of your event action rules work
together.
Risk Rating Ranges for Example 1
•
•
•
•
•
•
•
•
•
•
•
•
Event Action Filters for Example 1
1.
2.
3.
78-16527-01
List of interfaces monitored by this virtual sensor = mypair
Denied Address Information
Number of Active Denied Attackers = 2
Number of Denied Attackers Inserted = 0
Number of Denied Attackers Total Hits = 0
Number of times max-denied-attackers limited creation of new entry = 0
Number of exec Clear commands during uptime = 1
Denied Attackers and hit count for each.
10.20.2.5 = 0
10.20.5.2 = 0
Produce Alert—1-100
Produce Verbose Alert—90-100
Request SNMP Trap—50-100
Log Pair Packets—90-100
Log Victim Packets—90-100
Log Attacker Packets—90-100
Reset TCP Connection—90-100
Request Block Connection—70-89
Request Block Host—90-100
Deny Attacker Inline—0-0
Deny Connection Inline—90-100
Deny Packet Inline—90-100
SigID=2004, Attacker Address=*, Victim Address=20.1.1.1, Actions to Remove=ALL, Risk Rating
Range=1-100, StopOnMatch=True
SigID=2004, Attacker Address=30.1.1.1, Victim Address=*, Actions to Remove=ALL, Risk Rating
Range=1-100, StopOnMatch=True
SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=None, Risk Rating
Range=95-100, StopOnMatch=True
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Number of Active Denied Attackers
categories. It is important to know if the list has been cleared.
Event Action Rules Example
and
Number of
6-19