How many event actions filters a cisco ips can support

Unanswered Question
Apr 26th, 2010

we are running cisco ips 7.0(2) E4, and we are planning to tune some of the traffic everyday.......any idea how many event action filters can be applied to a sensor or is there is any maximum limit on the number of filters?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 04/26/2010 - 05:02

There is no limit to how many event action filters you can configure. I assume that you also know that event action filters is ordered list:

Also, found this bug FYI: bugID: CSCtf78755:

(When over 495 event action filters are configured via CLI, it's corrupting "rules0.xml" file)

Hope that answers your question.

exploit_haxor Mon, 04/26/2010 - 11:53

Thanks a lot that was really helpful, just had another question if 495 event action filters is corrupting rules0.xml then i assume that the IPS will not function properly, In that case what is the work around? and if more filters need to be added, how can this be done?

Jennifer Halim Mon, 04/26/2010 - 20:21

As of today, the only workaround is to optimize the event filters so you don't hit the 495 filters. The bug is currently under progress to be fixed, so monitor the bug for the version that will have the permanent fix.


This Discussion