Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-24

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Configuring Event Action Filters

f. Specify the OS relevance. The default is 0 to 100.

sensor(config-eve-fil)# os-relevance relevant

g. Specify the risk rating range.The default is 0 to 100.

sensor(config-eve-fil)# risk-rating-range 85-100

h. Specify the actions to remove.

sensor(config-eve-fil)# actions-to-remove reset-tcp-connection

i. If you are filtering a deny action, set the percentage of deny actions you want. The default is 100.

sensor(config-eve-fil)# deny-attacker-percentage 90

j. Specify the status of the filter to either disabled or enabled. The default is enabled.

sensor(config-eve-fil)# filter-item-status {enabled | disabled}

k. Specify the stop on match parameter. True tells the sensor to stop processing filters if this item

matches. False tells the sensor to continue processing filters even if this item matches.

sensor(config-eve-fil)# stop-on-match {true | false}

l. Add any comments you want to use to explain this filter.

sensor(config-eve-fil)# user-comment NEW FILTER

Step 5 Verify the settings for the filter.

sensor(config-eve-fil)# show settings

NAME: name1

-----------------------------------------------

signature-id-range: 1000-10005 default: 900-65535

subsignature-id-range: 1-5 default: 0-255

attacker-address-range: 192.0.2.3-192.0.2.26 default: 0.0.0.0-255.255.255.255

victim-address-range: 192.56.10.1-192.56.10.255 default: 0.0.0.0-255.255.255.255

ipv6-attacker-address-range: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 default:

::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

ipv6-victim-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF default:

::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 1-343 default: 0-65535

risk-rating-range: 85-100 default: 0-100

actions-to-remove: reset-tcp-connection default:

deny-attacker-percentage: 90 default: 100

filter-item-status: Enabled default: Enabled

stop-on-match: True default: False

user-comment: NEW FILTER default:

os-relevance: relevant default: relevant|not-relevant|unknown

------------------------------------------------

senor(config-eve-fil)#

Step 6 Edit an existing filter.

sensor(config-eve)# filters edit name1

Step 7 Edit the parameters (see Steps 4a through 4l).

Step 8 Move a filter up or down in the filter list.

sensor(config-eve-fil)# exit

sensor(config-eve)# filters move name5 before name1

Step 9 Verify that you have moved the filters.

previous next