Filter
Top Products
7-8
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Event Action Rules Configuration Sequence
• Configuring reset-tcp-connection alone only resets the TCP connection but the attack packet is not
denied from reaching the victim.
• Configuring deny-packet-inline alone only denies the attack packet from reaching the victim. It does
not trigger a TCP reset.
For More Information
• For procedure for configuring denied attackers, see Monitoring and Clearing the Denied Attackers
List, page 7-37.
• For the procedure for configuring the general settings, see Configuring the General Settings,
page 7-34.
• For the procedures for configuring blocking devices, see Chapter 14, “Configuring Attack Response
Controller for Blocking and Rate Limiting.”
• For the procedures for configuring SNMP, see Chapter 15, “Configuring SNMP.”
Event Action Rules Configuration Sequence
Follow these steps when configuring the event action rules component of the IPS:
1. Create any variables that you want to use in event action filters.
2. Create target value ratings. Assign target value ratings to your network assets so that you can
calculate the risk rating.
3. Create overrides to add actions based on the risk rating value. Assign a risk rating to each event
action type.
4. Create filters. Assign filters to subtract actions based on the ID, IP addresses, and risk rating of the
signature.
5. Create OS mappings. OS mappings are used for the attack relevance rating in the calculation of the
risk rating for an alert.
6. Configure the general settings. Specify whether you want to use the summarizer, the meta event
generator, or configure denied attacker parameters.
Working With Event Action Rules Policies
Use the service event-action-rules name command in service event action rules submode to create an
event action rules policy. The values of this event action rules policy are the same as the default event
action rules policy, rules0, until you edit them. Or you can use the copy event-action-rules
source_destination command in privileged EXEC mode to make a copy of an existing policy and then
edit the values of the new policy as needed. Use the list event-action-rules-configurations command
in privileged EXEC mode to list the event action rules policies. Use the no service event-action-rules
name command in global configuration mode to delete an event action rules policy. Use the default
service event-action-rules name command in global configuration mode to reset the event action rules
policy to factory settings.