12-11-2008 12:39 PM - edited 03-10-2019 04:25 AM
Can I configure 'event action filters' from the CLI or do I have to use SDM?
12-13-2008 06:09 AM
You can change actions from the CLI on a signature/category basis, not so sure about removing actions:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053954
Regards
Farrukh
12-15-2008 06:37 AM
I want to change the 'event action filters' where I can put in a certain ip address that should be ignored by the IPS.
12-15-2008 11:06 AM
This is exactly what the 'event action filter' does. Whichever hosts you want to be ignored, add them using commas (as per my previous post), then subtract the action 'Produce Alert'.
Regards
Farrukh
12-15-2008 11:15 AM
I'm sorry, I didn't see in your last post where 'exactly' you add the ip address of the hosts from the command line. Can you show me the command to enter on the 2851 to ignore a particular host from a particular signature? Thanks.
12-15-2008 12:00 PM
I'm sorry, I got confused with another thread I was working on. This is how you do it on an IPS sensor.
On IOS IPS, it used to be done using the following command:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1030715
The ACL at the command was used to select which IPs that particular signature is valid for. However it seems that command has been removed in 12.4(11)T and I can't find any other way to do the same in the 5.x format introduced in 12.4(11)T.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: