Filter
Top Products
7-7
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Event Actions
Understanding deny-packet-inline
For signatures that have deny-packet-inline configured as an action or for an event action override that
adds deny-packet-inline as an action, the following actions may be taken:
• dropped-packet
• denied-flow
• tcp-one-way-reset-sent
The deny-packet-inline action is represented as a dropped packet action in the alert. When a
deny-packet-inline occurs for a TCP connection, it is automatically upgraded to a
deny-connection-inline action and seen as a denied flow in the alert. If the IPS denies just one packet,
the TCP continues to try to send that same packet again and again, so the IPS denies the entire connection
to ensure it never succeeds with the resends.
When a deny-connection-inline occurs, the IPS also automatically sends a TCP one-way reset, which
shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open
connection on both the client (generally the attacker) and the server (generally the victim). Too many
open connections can result in resource problems on the victim. So the IPS sends a TCP reset to the
victim to close the connection on the victim side (usually the server), which conserves the resources of
the victim. It also prevents a failover that would otherwise allow the connection to fail over to a different
network path and reach the victim. The IPS leaves the attacker side open and denies all traffic from it.
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is
selected. The IPS appliance sends a TCP reset packet only to the victim under the following
circumstances:
• When a deny-packet-inline or deny-connection-inline is selected
• When TCP-based signatures and reset-tcp-connection have NOT been selected
In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the
reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the
ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the
ASA to send the TCP reset packet to the attacker.
TCP Normalizer Signature Warning
You receive the following warning if you disable a default-enabled TCP Normalizer signature or remove
a default-enabled modify-packet-inline, deny-packet-inline, or deny-connection-inline action:
Use caution when disabling, retiring, or changing the event action settings of a <Sig ID>
TCP Normalizer signature for a sensor operating in IPS mode. The TCP Normalizer signature
default values are essential for proper operation of the sensor.
If the sensor is seeing duplicate packets, consider assigning the traffic to multiple
virtual sensors. If you are having problems with asymmetric or out-of-order TCP packets,
consider changing the normalizer mode from strict evasion protection to asymmetric mode
protection. Contact Cisco TAC if you require further assistance.
Understanding deny-packet-inline and reset-tcp-connection
Pay attention to the following when configuring deny-packet-inline and reset-tcp-connection:
• If you want to deny attack packets from reaching the victim and also reset the TCP connection for
that flow, then you must configure BOTH deny-packet-inline AND reset-tcp-connection.