Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-2

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Understanding Security Policies

• You must preface the event variable with a dollar ($) sign to indicate that you are using a variable

rather than a string.

• Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

• You cannot delete the event action override for deny-packet-inline because it is protected. If you do

not want to use that override, set the override-item-status to disabled for that entry.

• Passive OS fingerprinting is enabled by default and the IPS contains a default vulnerable OS list for

each signature.

Understanding Security Policies

You can create multiple security policies and apply them to individual virtual sensors. A security policy

is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.

Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy

called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to

a virtual sensor or you can create new policies. The use of multiple security policies lets you create

security policies based on different requirements and then apply these customized policies per VLAN or

physical interface.

Understanding Event Action Rules

Event action rules are a group of settings you configure for the event action processing component of the

sensor. These rules dictate the actions the sensor performs when an event occurs. The event action

processing component is responsible for the following functions:

• Calculating the risk rating

• Adding event action overrides

• Filtering event action

• Executing the resulting event action

• Summarizing and aggregating events

• Maintaining a list of denied attackers

Note Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems IPS 7.1 Home Security System User Manual