Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering Summary Events?

Does anyone know if it is possible to create an event action filter (IPS v5.1.5) that will also suppress summary events? I have a few signatures that I'm filtering, but still regularly see a ridiculously high number of summary events being reported.

If it helps, these tend to be for lower severity traffic that we expect to see to/from certain hosts on our network, but we want to alert on if the traffic starts appearing to/from unexpected hosts.




Re: Filtering Summary Events?

Complete these steps in order to add, edit, delete, enable, disable, and move event action filters:

Log in to IDM with an account that has administrator or operator privileges.

Choose Configuration > Policies > Event Action Rules > rules0 > Event Action Filters if the software version is 6.x. For the software version 5.x, choose Configuration > Event Action Rules > Event Action Filters.


Re: Filtering Summary Events?

Look closely at the summary alarms, in particular the source and destination IP addresses....they are often different than the original alarms that you built the filter on. In particular, the victim address is often You'll need to modify the filter (or create a new one) to deal with the specifics of the actual summary alarms.

I'm on V6, but I recall the same behavior in V5.

New Member

Re: Filtering Summary Events?

This is info that I have been given in the past, via this forum. It outlines a particluar methodology for tuning a given signature. as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial

alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a

count of how often the source address triggered an event. Since the target could be different in the summary, it display it


This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent as a

target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary


However, in practice, we see summary alerts firing, in accompanyment to initial alerts, where the attacker (source) is the same. Typically, these can be closed, but if they fire in large numbers or in isolation, then you need to do some tweaking?