Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Modify action from "ZERO" to "Shunhost"

Hello,

I can't modify action for some alarms from "ZERO" to "Shunhost" ex: alarm 3216 (www directory traversal ../..).

I try with alarm 3215 (iis dot dot execute bug) and it's ok.

I don't understand why.

Could someone help me please ?

Regards

Eric

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Modify action from "ZERO" to "Shunhost"

Place a "|" between the 2 actions.

For example:

EventAction reset|shunhost

NOTE: No spaces between the actions and the "|".

6 REPLIES
Cisco Employee

Re: Modify action from "ZERO" to "Shunhost"

What method are you using to try to modify the actions? (IDM, cli, MC ) What version are you running on the sensor (3.1(4) 4.0, 4.1)?

New Member

Re: Modify action from "ZERO" to "Shunhost"

Sorry, I forgot some informations.

I use "IDS Device Manager, Version 4.1(1)S50".

I don't know how to do with cli.

Cisco Employee

Re: Modify action from "ZERO" to "Shunhost"

I tried this on my sensor using IDM and it worked fine. Try it with the cli:

1. Log in as cisco

2. conf t

3. service virtual-sensor-configuration virtualSensor

4. tune

5. service.http

6. sig sig 3216 sub 0

7. eventaction (whatever you want shunhost for example)

8. exit back out until you get to the "save changes" prompt. Enter yes.

9. Wait until you get the prompt back

you should be back at the "config" prompt. You will still need to wait for sensorapp to finish starting. You can keep trying "int group 0" command until it stops reporting an error. Then you know it is up. Then just exit back out.

Check it again with idm. See if it shows the proper action for sig 3216.

New Member

Re: Modify action from "ZERO" to "Shunhost"

thanks

it works...

regards

New Member

Re: Modify action from "ZERO" to "Shunhost"

Hi,

I would like to change event action from anything to reset AND shunhost with CLI.

How can I do this ?

Regards

Eric

Cisco Employee

Re: Modify action from "ZERO" to "Shunhost"

Place a "|" between the 2 actions.

For example:

EventAction reset|shunhost

NOTE: No spaces between the actions and the "|".

100
Views
0
Helpful
6
Replies