Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-23

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Configuring Event Action Filters

• signature-id-range—Specifies the range set of signature ID(s) for this item (for example,

1000-2000,3000-3000).

• stop-on-match {true | false}—Specifies to continue evaluating filters or stop when this filter item

is matched.

• subsignature-id-range—Specifies the range set of subsignature ID(s) for this item (for example,

0-2,5-5).

• user-comment —Lets you add your comments about this filter item.

• victim-address-range—Specifies the range set of victim address(es) for this item (for example,

10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255).

Note The second IP address in the range must be greater then or equal to the first IP address. If

you do not specify a victim address range, all IPv4 attacker addresses are matched.

• victim-port-range—Specifies the range set of victim port(s) for this item (for example,

147-147,8000-10000).

Configuring Event Action Filters

To configure event action filters, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules1

sensor(config-eve)#

Step 3 Create the filter name. Use name1, name2, and so forth to name your event action filters. Use the begin

| end | inactive | before | after keywords to specify where you want to insert the filter.

sensor(config-eve)# filters insert name1 begin

Step 4 Specify the values for this filter:

a. Specify the signature ID range. The default is 900 to 65535.

sensor(config-eve-fil)# signature-id-range 1000-1005

b. Specify the subsignature ID range. The default is 0 to 255.

sensor(config-eve-fil)# subsignature-id-range 1-5

c. Specify the attacker address range for IPv4 or IPv6.

sensor(config-eve-fil)# attacker-address-range 192.0.2.3-192.0.2.26

sensor(config-eve-fil)# ipv6-attacker-address-range

2001:0db8:3c4d:0015:0000:0000:abcd:ef12

d. Specify the victim address range for IPv4 or IPv6.

sensor(config-eve-fil)# victim-address-range 192.56.10.1-192.56.10.255

sensor(config-eve-fil)# ipv6-victim-address-range ::0-FFFF:FFFF:FFFF:FFFF:FFFF:

FFFF:FFFF:FFFF

e. Specify the victim port range. The default is 0 to 65535.

sensor(config-eve-fil)# victim-port-range 0-434

previous next