Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Event action overides

Using a 4255 running 7.X code inline. I was looking at an event. The sig in question was to notify only but the action listed said the event was blocked. It appears the event action overide was doing that.

How does the event action overide work with a sig thats action isn't to block?

Is there a means to provide known excepts to enabled sigs. Coming from a different platform to the 4255 and learning the interface.

Craig

Craig

  • Intrusion Prevention Systems/IDS
1 REPLY
Cisco Employee

Re: Event action overides

There are 3 ways that an event action can be added to a signature.

1) The event action is configured on the signature itself.

Either the action is configured as a default action on the signature, or the user has added the action by tuning the signature.

2) Event Action Override is configured to add the event action.

Event Action Overrides are not signature specific. Instead they are checked against all events. If the Risk Rating of the event is within the Range for the override then the event action is added to the event. NOTE: If the event action was already added directly to the sig, then the event action won't add it again since it already is on the event. It only adds the action to events where the action was not already configured on the signature itself.

There is a default event action override for the DenyPacketInLine event action for events with a Risk Rating from 90-100.

Users can modify the default event-action-override or even disable it, and can add their own event-action-overrides.

3) An action can also be added by the Global-Correlation feature when the attacker address has a Negative Reputation. (only in version 7.0 and higher).

To remove or prevent an action for a signature you create Event action Filters.

You designate the sigId and what Event Actions you want to be removed for those events. It can remove actions no matter which method above added the action.

123
Views
0
Helpful
1
Replies