Event Action Filters on 2851

Unanswered Question
Dec 11th, 2008

Can I configure 'event action filters' from the CLI or do I have to use SDM?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
markbowman Mon, 12/15/2008 - 06:37

I want to change the 'event action filters' where I can put in a certain ip address that should be ignored by the IPS.

Farrukh Haroon Mon, 12/15/2008 - 11:06

This is exactly what the 'event action filter' does. Whichever hosts you want to be ignored, add them using commas (as per my previous post), then subtract the action 'Produce Alert'.



markbowman Mon, 12/15/2008 - 11:15

I'm sorry, I didn't see in your last post where 'exactly' you add the ip address of the hosts from the command line. Can you show me the command to enter on the 2851 to ignore a particular host from a particular signature? Thanks.

Farrukh Haroon Mon, 12/15/2008 - 12:00

I'm sorry, I got confused with another thread I was working on. This is how you do it on an IPS sensor.

On IOS IPS, it used to be done using the following command:


The ACL at the command was used to select which IPs that particular signature is valid for. However it seems that command has been removed in 12.4(11)T and I can't find any other way to do the same in the 5.x format introduced in 12.4(11)T.




This Discussion