Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 118
Configuration guide
Hide thumbs
Also See for 4215 - Intrusion Detection Sys Sensor:
- Hardware installation manual (74 pages)
Table of Contents
Advertisement
Event Action Rules Example
4.
5.
Results for Example 1
When SIG 2004 is detected:
•
If the attacker address is not 30.1.1.1 and the victim address is not 20.1.1.1:
•
•
•
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
6-20
SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=denyAttackerInline,
requestBlockHost, requestBlockConnection, Risk Rating Range=56-94, StopOnMatch=True
SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=denyAttackerInline,
requestBlockHost, produceAlert, resetTcpConnection, logAttackerPackets, Risk Rating
Range=1-55, StopOnMatch=True
If the attacker address is 30.1.1.1 or the victim address is 20.1.1.1, the event is consumed (ALL
actions are subtracted).
If the RR is 50, Produce Alert and Request SNMP Trap are added by the event action override
component, but Produce Alert is subtracted by the event action filter. However, the event action
policy forces the alert action because Request SNMP Trap is dependent on the <evIdsAlert>.
If the RR is 89, Request SNMP Trap and Request Block Connection are added by the event action
override component. However, Request Block Connection is subtracted by the event action filter.
If the RR is 96, all actions except Deny Attacker Inline and Request Block Connection are added by
the event action override component, and none are removed by the event action filter. The third filter
line with the filter action NONE is optional, but is presented as a clearer way to define this type of
filter.
Chapter 6
Configuring Event Action Rules
78-16527-01
Advertisement
Table of Contents
Troubleshooting
