Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-6

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Event Actions

• deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future packets on

the attacker/victim address pair for a specified period of time.

• deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future packets on

the attacker address victim port pair for a specified period of time.

• deny-attacker-inline (inline only)—Terminates the current packet and future packets from this

attacker address for a specified period of time.

The sensor maintains a list of attackers being denied by the system. To remove an entry from the

denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for

the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being

denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the

denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a

new entry, the packet is still denied.

• modify-packet-inline (inline only)—Modifies packet data to remove ambiguity about what the end

point might do with the packet.

Note You cannot use modify-packet-inline as an action when adding event action filters or

overrides.

Other Actions

• request-block-connection—Sends a request to ARC to block this connection. You must have

blocking devices configured to implement this action.

Note Connection blocks and network blocks are not supported on adaptive security appliances.

Adaptive security appliances only support host blocks with additional connection

information.

Note IPv6 does not support request-block-connection.

• request-block-host—Sends a request to ARC to block this attacker host. You must have blocking

devices configured to implement this action.

Note IPv6 does not support request-block-host.

• request-rate-limit—Sends a rate limit request to ARC to perform rate limiting. You must have rate

limiting devices configured to implement this action.

Note The request-rate-limit action applies to a select set of signatures.

Note IPv6 does not support request-rate-limit.

• reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow. The

reset-tcp-connection action only works on TCP signatures that analyze a single connection. It does

not work for sweeps or floods.

previous next