Cisco Systems IPS4510K9 Home Security System User Manual


  Open as PDF
of 854
 
8-23
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 8 Configuring Event Action Rules
Configuring Event Action Filters
Configuring Event Action Filters
To configure event action filters, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2
Enter event action rules submode.
sensor# configure terminal
sensor(config)# service event-action-rules rules1
sensor(config-eve)#
Step 3
Create the filter name. Use name1, name2, and so forth to name your event action filters. Use the begin
| end | inactive | before | after keywords to specify where you want to insert the filter.
sensor(config-eve)# filters insert name1 begin
Step 4
Specify the values for this filter:
a.
Specify the signature ID range. The default is 900 to 65535.
sensor(config-eve-fil)# signature-id-range 1000-1005
b.
Specify the subsignature ID range. The default is 0 to 255.
sensor(config-eve-fil)# subsignature-id-range 1-5
c.
Specify the attacker address range for IPv4 or IPv6.
sensor(config-eve-fil)# attacker-address-range 192.0.2.3-192.0.2.26
sensor(config-eve-fil)# ipv6-attacker-address-range
2001:0db8:3c4d:0015:0000:0000:abcd:ef12
d.
Specify the victim address range for IPv4 or IPv6.
sensor(config-eve-fil)# victim-address-range 192.56.10.1-192.56.10.255
sensor(config-eve-fil)# ipv6-victim-address-range ::0-FFFF:FFFF:FFFF:FFFF:FFFF:
FFFF:FFFF:FFFF
e.
Specify the victim port range. The default is 0 to 65535.
sensor(config-eve-fil)# victim-port-range 0-434
f.
Specify the OS relevance. The default is 0 to 100.
sensor(config-eve-fil)# os-relevance relevant
g.
Specify the risk rating range.The default is 0 to 100.
sensor(config-eve-fil)# risk-rating-range 85-100
h.
Specify the actions to remove.
sensor(config-eve-fil)# actions-to-remove reset-tcp-connection
i.
If you are filtering a deny action, set the percentage of deny actions you want. The default is 100.
sensor(config-eve-fil)# deny-attacker-percentage 90
j.
Specify the status of the filter to either disabled or enabled. The default is enabled.
sensor(config-eve-fil)# filter-item-status {enabled | disabled}
k.
Specify the stop on match parameter. True tells the sensor to stop processing filters if this item
matches. False tells the sensor to continue processing filters even if this item matches.
sensor(config-eve-fil)# stop-on-match {true | false}
 previous next