Filter
Top Products
7-5
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Event Actions
Event Actions
The Cisco IPS supports the following event actions. Most of the event actions belong to each signature
engine unless they are not appropriate for that particular engine.
Alert and Log Actions
• produce-alert—Writes the event to the Event Store as an alert.
Note The produce-alert action is not automatic when you enable alerts for a signature. To have an
alert created in the Event Store, you must select produce-alert. If you add a second action,
you must include produce-alert if you want an alert sent to the Event Store. Also, every time
you configure the event actions, a new list is created and it replaces the old list. Make sure
you include all the event actions you need for each signature.
Note There are other event actions that force a produce-alert. These actions use produce-alert as
the vehicle for performing the action. Even if produce-alert is not selected or is filtered, the
alert is still produced. The actions are the following: produce-verbose-alert,
request-snmp-trap, log-attacker-packets, log-victim-packets, and log-pair-packets.
Note A produce-alert event action is added for an event when global correlation has increased the
risk rating of an event, and has added either the deny-packet-inline or deny-attacker-inline
event action.
• produce-verbose-alert—Includes an encoded dump of the offending packet in the alert. This action
causes an alert to be written to the Event Store, even if produce-alert is not selected.
• log-attacker-packets—Starts IP logging on packets that contain the attacker address and sends an
alert. This action causes an alert to be written to the Event Store, even if produce-alert is not
selected.
• log-victim-packets—Starts IP logging on packets that contain the victim address and sends an alert.
This action causes an alert to be written to the Event Store, even if produce-alert is not selected.
• log-pair-packets—Starts IP logging on packets that contain the attacker/victim address pair. This
action causes an alert to be written to the Event Store, even if produce-alert is not selected.
• request-snmp-trap—Sends a request to the Notification Application component of the sensor to
perform SNMP notification. This action causes an alert to be written to the Event Store, even if
produce-alert is not selected. You must have SNMP configured on the sensor to implement this
action.
Deny Actions
• deny-packet-inline (inline only)—Terminates the packet.
Note You cannot delete the event action override for deny-packet-inline because it is protected. If
you do not want to use that override, set the override-item-status to disabled for that entry.
• deny-connection-inline (inline only)—Terminates the current packet and future packets on this TCP
flow.