cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
3
Replies

How many event actions filters a cisco ips can support

exploit_haxor
Level 1
Level 1

we are running cisco ips 7.0(2) E4, and we are planning to tune some of the traffic everyday.......any idea how many event action filters can be applied to a sensor or is there is any maximum limit on the number of filters?

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

There is no limit to how many event action filters you can configure. I assume that you also know that event action filters is ordered list:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2033432

Also, found this bug FYI: bugID: CSCtf78755:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf78755

(When over 495 event action filters are configured via CLI, it's corrupting "rules0.xml" file)

Hope that answers your question.

Thanks a lot that was really helpful, just had another question if 495 event action filters is corrupting rules0.xml then i assume that the IPS will not function properly, In that case what is the work around? and if more filters need to be added, how can this be done?

As of today, the only workaround is to optimize the event filters so you don't hit the 495 filters. The bug is currently under progress to be fixed, so monitor the bug for the version that will have the permanent fix.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: