Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to change default action "alarm" for all signatures ?

My question belongs to a Cisco 1712 (128 MB, IOS 12.3T, SDM 2.5 installed):

I'm trying to change the default action "alarm" to "alarm,reset,drop" for all signatures of my custom set.

However doing so via SDM fails. First, it appears as being done correctly, but after compiling the signatures again, the default values are back there (in the same sense, I was unable to delete signatures, works just using the CLI).

I followed the instructions at cisco.com:

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

However ip ips signature-definition is not understood by the router, so the procedure fails.

Can you please assist me ?

2 REPLIES
Bronze

Re: How to change default action "alarm" for all signatures ?

You can use IOS command-line interface (CLI) to change signature actions for one signature or a group of signatures based on signature categories. The following example shows how to change signature action to alert, drop and reset for signature 6130 with subsig ID of 10.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

router(config-sigdef-sig)#exit

router(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

router(config)#

New Member

Re: How to change default action "alarm" for all signatures ?

Hi vmoopeung, I really appreciate your help.

But what you describe is exactly the problem I'm facing with. The procedure doesn't work on IOS 12.3T, it requires (if I correctly remember) 12.4. at least.

149
Views
0
Helpful
2
Replies