Hello,

From your descripition, I assume that the signature causing the deny-attacker action event is not actually creating an alert. You have a few different tools that can help you identify what signature is executing the deny-attacker action.

- Signature configuration view filtering (Configuration -> Policies -> Signature Definitions -> sig0 -> All Signatures)

- Virtual Sensor statistics (Configuration -> Sensor Monitoring -> Support Information -> Statistics -> scroll down to section "Virtual Sensor Statistics" and look for the signature firing counts

- Event Action Overrides (** use this with caution **)

Signature configuration view filtering

Unless your signatures are significantly tuned, you will only have a few configured with the deny-X action. Go into the signature configuration area of IME and filter on Action -> Deny X (where X is any of the Deny Actions). This will help you identify what signatures are potentially executing the deny-attacker action.

Virtual Sensor statistics

Looking at the signature event count will show you what signatures are eventing, but may not be alerting (no Produce-Alert action set). This will lead you to what signatures are potentially executing the deny-attacker action.

Event Action Overrides

Caution, Caution, Caution: If your sensor is reasonably busy, this will cause many alerts to be generated. Use only for troubleshooting and only if you do not normally see a high event rate.

You can configure an Event Action Override of Product Alert *only* for the signatures you see firing in the Virtual Sensor statistics in the time that the deny-attacker action has been executed. This will cause the deny-attacker signature to alert and you can see the deny-attacker action in the event data.

Please let me know if I understand your issue correctly and if the above information helps.

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast