Filter
Top Products
7-34
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring General Settings
alerts when that threshold is met. In this example, a hit is a term used to describe an event, which is
basically an alert, but it is not sent out of the sensor as an alert until the threshold number of hits has
been exceeded.
You can choose from the following summarization options:
• fire-all—Fires an alert each time the signature is triggered. If the threshold is set for summarization,
alerts are fired for each execution until summarization occurs. After summarization starts, only one
alert every summary interval fires for each address set. Alerts for other address sets are either all
seen or separately summarized. The signature reverts to fire all mode after a period of no alerts for
that signature.
• summary—Fires an alert the first time a signature is triggered, and then additional alerts for that
signature are summarized for the duration of the summary interval. Only one alert every summary
interval should fire for each address set. If the global summary threshold is reached, the signature
goes into global summarization mode.
• global-summarization—Fires an alert for every summary interval. Signatures can be preconfigured
for global summarization.
• fire-once—Fires an alert for each address set. You can upgrade this mode to global summarization
mode.
Configuring the General Settings
Use the following commands in service event action rules submode to configure general event action
rules settings:
• global-block-timeout —Specifies the number of minutes to block a host or connection. The valid
range is 0 to 10000000. The default is 30 minutes.
• global-deny-timeout—Specifies the number of seconds to deny attackers inline. The valid range is
0 to 518400. The default is 3600.
• global-filters-status {enabled | disabled}—Enables or disables the use of the filters. The default is
enabled.
• global-metaevent-status {enabled | disabled}—Enables or disables the use of the Meta Event
Generator. The default is enabled.
• global-overrides-status {enabled | disabled}—Enables or disables the use of the overrides. The
default is enabled.
• global-summarization-status {enabled | disabled}—Enables or disables the use of the
summarizer. The default is enabled.
• max-denied-attackers—Limits the number of denied attackers possible in the system at any one
time. The valid range is 0 to 100000000. The default is 10000.
Configuring Event Action General Settings
To configure event action general settings, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter event action rules submode.
sensor# configure terminal
sensor(config)# service event-action-rules rules0