Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

7-33

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 7 Configuring Event Action Rules

Configuring General Settings

Step 3 Clear the learned OS IDs for a specific IP address on all virtual sensors.

sensor# clear os-identification learned 192.0.2.0

Step 4 Verify that the OS IDs have been cleared.

sensor# show statistics os-identification

Statistics for Virtual Sensor vs0

OS Identification

Configured

Imported

Learned

Statistics for Virtual Sensor vs1

OS Identification

Configured

Imported

Learned

sensor#

Configuring General Settings

This section describes the general settings, and contains the following topics:

• Understanding Event Action Summarization, page 7-33

• Understanding Event Action Aggregation, page 7-33

• Configuring the General Settings, page 7-34

Understanding Event Action Summarization

Summarization decreases the volume of alerts sent out from the sensor by providing basic aggregation

of events into a single alert. Special parameters are specified for each signature and they influence the

handling of the alerts. Each signature is created with defaults that reflect a preferred normal behavior.

However, you can tune each signature to change this default behavior within the constraints for each

engine type.

The nonalert-generating actions (deny, block, TCP reset) go through the filters for each signature event

unsummarized. The alert-generating actions are not performed on these summarized alerts; instead the

actions are applied to the one summary alert and then put through the filters.

If you select one of the other alert-generating actions and do not have it filtered out, the alert is created

even if you do not select produce-alert. To prevent alerts from being created, you must have all

alert-generating actions filtered out.

Summarization and event actions are processed after the Meta engine has processed the component

events. This lets the sensor watch for suspicious activity transpiring over a series of events.

Understanding Event Action Aggregation

Basic aggregation provides two operating modes. The simple mode involves configuring a threshold

number of hits for a signature that must be met before the alert is sent. A more advanced mode is

timed-interval counting. In this mode, the sensor tracks the number of hits per second and only sends

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems IPS 7.1 Home Security System User Manual