Filter
Top Products
7-18
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring Event Action Overrides
action is added to the event. For example, if you want any event with a risk rating of 85 or more to
generate an SNMP trap, you can set the risk rating range for request-snmp-trap to 85-100. If you do not
want to use action overrides, you can disable the entire event action override component.
Note Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive
security appliances only support host blocks with additional connection information.
Adding, Editing, Enabling, and Disabling Event Action Overrides
Use the overrides {request-block-connection | request-block-host | deny-attacker-inline |
deny-packet-inline | deny-attacker-service-pair-inline | deny-attacker-victim-pair-inline |
deny-connection-inline | log-attacker-packets | log-victim-packets | log-pair-packets |
reset-tcp-connection | produce-alert | produce-verbose-alert | request-rate-limit |
request-snmp-trap} command in service event action rules submode to configure the parameters of
event action overrides. Use the no overrides command in service event action rules submode to delete
the parameters of event action overrides.
Note You cannot delete the event action override for deny-packet-inline because it is protected. If you do not
want to use that override, set the override-item-status to disabled for that entry.
Configure the override event actions, then the risk rating range, then enable or disable the override. The
following options apply:
• no overrides—Removes an entry or selection setting.
• override-item-status {enabled | disabled}—Enables or disables the use of this override item. The
default is enabled.
• risk-rating-range—Specifies the range of risk rating values for this override item. The default is 0
to 100.
• show—Displays system settings and/or history information.
Configuring Event Action Overrides
To add event action overrides, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter event action rules submode.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-eve)#
Step 3 Assign the action for the override:
• Deny packets from the source IP address of the attacker.
sensor(config-eve)# overrides deny-attacker-inline
sensor(config-eve-ove)#
• Do not transmit the single packet causing the alert.
sensor(config-eve)# overrides deny-packet-inline
sensor(config-eve-ove)#