Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Actions Occuring That Are Not Assigned

I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured.  I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message.  I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.

It's not a major issue, but I do find it kind of odd.  Any ideas?

The IPS is an ASA-SSM-20 running 7.0(4)E4.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Actions Occuring That Are Not Assigned

Hi,

The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'.  This is by design of the software.


Regards,
Chris

3 REPLIES
Cisco Employee

Re: Actions Occuring That Are Not Assigned

Hi,

That's weird. Can you paste the details of the custom signature you have created?

Regards,

Prapanch

New Member

Re: Actions Occuring That Are Not Assigned

Here you go:

signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name MS10-046
sig-string-info .pif or .lnk file extension matching
sig-comment http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
exit
engine service-http
event-action produce-alert|deny-packet-inline
regex
specify-uri-regex yes
uri-regex \.([Ll][Nn][Kk]|[Pp][Ii][Ff])
exit
exit
service-ports 80,8080
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode fire-once
exit

Cisco Employee

Re: Actions Occuring That Are Not Assigned

Hi,

The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'.  This is by design of the software.


Regards,
Chris

226
Views
0
Helpful
3
Replies
CreatePlease to create content