8-15
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
alert-traits: 0 <defaulted>
release: custom <defaulted>
-----------------------------------------------
vulnerable-os: aix|linux default: general-os
*---> engine
-----------------------------------------------
-----------------------------------------------
event-counter
-----------------------------------------------
event-count: 1 <defaulted>
event-count-key: Axxx <defaulted>
specify-alert-interval
-----------------------------------------------
--MORE--
Step 6 Exit signatures submode.
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Step 7 Press Enter to apply the changes or enter no to discard them.
Assigning Actions to Signatures
Use the event-action command in signature definition submode to configure the actions the sensor takes
when the signature fires. The following options apply:
• event-action—Specifies the type of event action the sensor should perform:
–
deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the
attacker address for a specified period of time.
–
deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker address victim port pair for a specified period of time.
–
deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker/victim address pair for a specified period of time.
–
deny-connection-inline (inline only)—Does not transmit this packet and future packets on the
TCP flow.
–
deny-packet-inline (inline only)—Does not transmit this packet.
–
log-attacker-packets—Starts IP logging of packets containing the attacker address.
–
log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.
–
log-victim-packets—Starts IP logging of packets containing the victim address.
–
produce-alert —Writes the event to the Event Store as an alert.
–
produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending
packet in the alert.
–
request-block-connection—Sends a request to the ARC to block this connection.
–
request-block-host—Sends a request to the ARC to block this attacker host.
–
request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.
–
request-snmp-trap—Sends a request to the Notification Application component of the sensor
to perform SNMP notification.