Event Action Filters (difference between column Active & Enabled?)

cashqoo · ‎06-16-2008

I have a IPS4260, running v6.0(3).

Under "Configuration" > "Event Action Rules" > "Event Action Filter".

What is the difference between column "Active" and "Enabled"? This is confusing.

mhellman · ‎06-17-2008

I would guess that it's the same as the signatures and the basic premise is that when a filter is disabled, but still active...it gets it still consumes resources on the sensor. If you inactivate the filter, it does not.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcb14e/0#selected_message

stleary · ‎06-17-2008

Event action filters are evaluated in a specified order. Active means that a filter participates in the order. Enabled means that it can perform a filtering action. Use Disable when you want to preserve the order, but not perform the action (e.g. if you want to turn it off for debugging, but want to keep it's place in the list later). Use Inactive when you don't want the filter in the ordering at all (e.g. if you want to keep it as a reminder, but don't plan to use it again). The filter list is displayed by CLI and IDM in logical order - first all of the Active filters in their specified order, and then all of the Inactive filters. I don't think the designers really intended to have 2 similar options; it is more a side effect of the data model used for storing the configuration.

Farrukh Haroon · ‎06-17-2008

Thank you for your answer. I wish you guys could put a more helpful description in the CLI Guide, IDM Guide and Onine Help. Currently the CLI guide does not even mention one of these options. Online/IDM guide are also very vague.

Regards

Farrukh

mhellman · ‎06-18-2008

Thanks for the clarification Sean. I like your description...any chance you can have it included in the user guide and/or context help?