8-18
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 8 Configuring Event Action Rules
Configuring Event Action Overrides
The following options apply:
•
no overrides—Removes an entry or selection setting.
•
override-item-status {enabled | disabled}—Enables or disables the use of this override item. The
default is enabled.
•
risk-rating-range—Specifies the range of risk rating values for this override item. The default is 0
to 100.
•
show—Displays system settings and/or history information.
Configuring Event Action Overrides
To add event action overrides, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2
Enter event action rules submode.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-eve)#
Step 3
Assign the action for the override:
•
Deny packets from the source IP address of the attacker.
sensor(config-eve)# overrides deny-attacker-inline
sensor(config-eve-ove)#
•
Do not transmit the single packet causing the alert.
sensor(config-eve)# overrides deny-packet-inline
sensor(config-eve-ove)#
•
Do not transmit packets on the specified TCP connection.
sensor(config-eve)# overrides deny-connection-inline
sensor(config-eve-ove)#
•
Send TCP RST packets to terminate the connection.
sensor(config-eve)# overrides reset-tcp-connection
sensor(config-eve-ove)#
•
Request a block of the connection.
sensor(config-eve)# overrides request-block-connection
sensor(config-eve-ove)#
•
Request a block of the attacker host.
sensor(config-eve)# overrides request-block-host
sensor(config-eve-ove)#
•
Log the packets from the attacker IP address.
sensor(config-eve)# overrides log-attacker-packets
sensor(config-eve-ove)#
•
Log the packets from the victim IP address.
sensor(config-eve)# overrides log-victim-packets
sensor(config-eve-ove)#