Filter
Top Products
CHAPTER
7-1
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
7
Configuring Event Action Rules
This chapter explains how to add event action rules policies and how to configure event action rules. It
contains the following sections:
• Event Action Rules Notes and Caveats, page 7-1
• Understanding Security Policies, page 7-2
• Understanding Event Action Rules, page 7-2
• Signature Event Action Processor, page 7-3
• Event Actions, page 7-5
• Event Action Rules Configuration Sequence, page 7-8
• Working With Event Action Rules Policies, page 7-8
• Event Action Variables, page 7-10
• Configuring Target Value Ratings, page 7-13
• Configuring Event Action Overrides, page 7-17
• Configuring Event Action Filters, page 7-20
• Configuring OS Identifications, page 7-26
• Configuring General Settings, page 7-33
• Configuring the Denied Attackers List, page 7-36
• Monitoring Events, page 7-39
Event Action Rules Notes and Caveats
The following notes and caveats apply to configuring event action rules:
• Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a
block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action
is not carried out.
• Global correlation inspection and the reputation filtering deny features do not support IPv6
addresses. For global correlation inspection, the sensor does not receive or process reputation data
for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation
inspection. Similarly, network participation does not include event data for attacks from IPv6
addresses. And finally, IPv6 addresses do not appear in the deny list.