How to change default action "alarm" for all signatures ?

Unanswered Question
Jul 30th, 2009

My question belongs to a Cisco 1712 (128 MB, IOS 12.3T, SDM 2.5 installed):

I'm trying to change the default action "alarm" to "alarm,reset,drop" for all signatures of my custom set.

However doing so via SDM fails. First, it appears as being done correctly, but after compiling the signatures again, the default values are back there (in the same sense, I was unable to delete signatures, works just using the CLI).

I followed the instructions at cisco.com:

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

However ip ips signature-definition is not understood by the router, so the procedure fails.

Can you please assist me ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Wed, 08/05/2009 - 08:42

You can use IOS command-line interface (CLI) to change signature actions for one signature or a group of signatures based on signature categories. The following example shows how to change signature action to alert, drop and reset for signature 6130 with subsig ID of 10.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

router(config-sigdef-sig)#exit

router(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

router(config)#

tobiaseichner Thu, 08/06/2009 - 00:22

Hi vmoopeung, I really appreciate your help.

But what you describe is exactly the problem I'm facing with. The procedure doesn't work on IOS 12.3T, it requires (if I correctly remember) 12.4. at least.

Actions

This Discussion