Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-22

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Configuring Event Action Filters

Note You must preface the event variable with a dollar sign ($) to indicate that you are using a variable rather

than a string. Otherwise, you receive the Bad source and destination error.

Use the filters {edit | insert | move] name1 [begin | end | inactive | before | after} command in service

event action rules submode to set up event action filters. The following options apply:

• actions-to-remove—Specifies the event actions to remove for this filter item.

• attacker-address-range—Specifies the range set of IPv4 attacker address(es) for this item (for

example, 192.0.2.0-192.0.2.254,192.3.2.0-192.3.2.254).

Note The second IP address in the range must be greater then or equal to the first IP address. If

you do not specify an attacker address range, all IPv4 attacker addresses are matched.

• attacker-port-range—Specifies the range set of attacker port(s) for this item (for example,

147-147,8000-10000).

• default—Sets the value back to the system default setting.

• deny-attacker-percentage—Specifies the percentage of packets to deny for deny attacker features.

The valid range is 0 to 100. The default is 100.

• filter-item-status {enabled | disabled}—Enables or disables the use of this filter item.

• ipv6-attacker-address-range—Specifies the range set of IPv6 attacker address(es) for this item

(for example,

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:

XXXX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>].

Note The second IPv6 address in the range must be greater than or equal to the first IPv6 address.

If you do not specify an IPv6 attacker address range, all IPv6 attacker addresses are matched.

• ipv6-victim-address-range—Specifies the range set of victim address(es) for this item (for

example,

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:

XXXX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>].

Note The second IPv6 address in the range must be greater than or equal to the first IPv6 address.

If you do not specify an IPv6 victim address range, all IPv6 victim addresses are matched.

• no—Removes an entry or selection setting.

• os-relevance—Specifies the event OS relevance for this filter:

–

relevant—Specifies that the event is relevant to the target OS.

–

not-relevant—Specifies that the event is not relevant to the target OS.

–

unknown—It is unknown whether the event is relevant to the target OS.

• risk-rating-range—Specifies the range of risk rating values for this filter item.

previous next