Event Action Filters on 2851

markbowman · ‎12-11-2008

Can I configure 'event action filters' from the CLI or do I have to use SDM?

Farrukh Haroon · ‎12-13-2008

You can change actions from the CLI on a signature/category basis, not so sure about removing actions:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053954

Regards

Farrukh

markbowman · ‎12-15-2008

I want to change the 'event action filters' where I can put in a certain ip address that should be ignored by the IPS.

Farrukh Haroon · ‎12-15-2008

This is exactly what the 'event action filter' does. Whichever hosts you want to be ignored, add them using commas (as per my previous post), then subtract the action 'Produce Alert'.

Regards

Farrukh

markbowman · ‎12-15-2008

I'm sorry, I didn't see in your last post where 'exactly' you add the ip address of the hosts from the command line. Can you show me the command to enter on the 2851 to ignore a particular host from a particular signature? Thanks.

Farrukh Haroon · ‎12-15-2008

I'm sorry, I got confused with another thread I was working on. This is how you do it on an IPS sensor.

On IOS IPS, it used to be done using the following command:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1030715

The ACL at the command was used to select which IPs that particular signature is valid for. However it seems that command has been removed in 12.4(11)T and I can't find any other way to do the same in the 5.x format introduced in 12.4(11)T.

Regards

Farrukh