A-27
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
SensorApp
–
Victim port
–
Risk rating threshold range
–
Actions to subtract
–
Sequence identifier (optional)
–
Stop-or-continue bit
–
Enable action filter line bit
–
Victim OS relevance or OS relevance
• Signature Event Action Handler—Performs the requested actions. The output from the Signature
Event Action Handler is the actions being performed and possibly an evIdsAlert written to the Event
Store.
Figure A-5 illustrates the logical flow of the signature event through the Signature Event Action
Processor and the operations performed on the action for this event. It starts with the signature event with
configured action received in the Alarm Channel and flows top to bottom as the signature event passes
through the functional components of the Signature Event Action Processor.
Figure A-5 Signature Event Through Signature Event Action Processor
Consumed
signature event
132188
Signature event with
configured action
Signature event
Add action based on RR
Subtract action based on
signature, address, port, RR, etc.
Subtract action based on
current summary mode
Perform action
Event count
Signature event
action override
Signature event
action filter
Signature event
summary filter
Signature event
action handler