Filter
Top Products
7-21
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring Event Action Filters
Understanding Event Action Filters
Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.
For global correlation inspection, the sensor does not receive or process reputation data for IPv6
addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,
network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6
addresses do not appear in the deny list.
Note Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or
rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried
out.
Event action filters are processed as an ordered list and you can move filters up or down in the list. Filters
let the sensor perform certain actions in response to the event without requiring the sensor to perform all
actions or remove the entire event. Filters work by removing actions from an event. A filter that removes
all actions from an event effectively consumes the event.
Note When filtering sweep signatures, we recommend that you do not filter the destination addresses. If there
are multiple destination addresses, only the last address is used for matching the filter.
Caution Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.
Configuring Event Action Filters
Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.
For global correlation inspection, the sensor does not receive or process reputation data for IPv6
addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,
network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6
addresses do not appear in the deny list.
Note Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or
rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried
out.
You can configure event action filters to remove specific actions from an event or to discard an entire
event and prevent further processing by the sensor. You can use event action variables that you defined
to group addresses for your filters.