6-8
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 6 Configuring Event Action Rules
Event Action Overrides
example, if you want any event with an RR of 85 or more to generate an SNMP trap, you can set the RR
range for Request SNMP Trap to 85-100. If you do not want to use action overrides, you can disable the
entire event action override component.
Configuring Event Action Overrides
Use the
overrides
[
request-block-connection
|
request-block-host
|
deny-attacker-inline
|
deny-packet-inline
|
deny-connection-inline
|
log-attacker-packets
|
log-victim-packets
|
log-pair-packets
|
reset-tcp-connection
|
produce-alert
|
produce-verbose-alert
|
request-snmp-trap
] command in service event action rules submode to configure the parameters of
event action overrides.
To add event action overrides, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2
Enter event action rules submode:
sensor#
configure terminal
sensor(config)#
service event-action-rules rules0
Step 3
To configure how packets are treated for overrides:
Note
The default RR range is 0 to 100. Set it to a different value, such as 85 to 100.
a.
To deny packets from the source IP address of the attacker:
sensor(config-rul)#
overrides deny-attacker-inline
b.
To not transmit the single packet causing the alert:
sensor(config-rul-ove)#
exit
sensor(config-rul)#
overrides deny-packet-inline
c.
To not transmit packets on the specified TCP connection:
sensor(config-rul-ove)#
exit
sensor(config-rul)#
overrides deny-connection-inline
d.
To send TCP RST packets to terminate the connection:
sensor(config-rul-ove)#
exit
sensor(config-rul)#
overrides reset-tcp-connection
Step 4
To configure overrides to request blocks:
a.
To request a block of the connection:
sensor(config-rul-ove)#
exit
sensor(config-rul)#
overrides request-block-connection
b.
To request a block of the attacker host:
sensor(config-rul-ove)#
exit
sensor(config-rul-ove)#
exit
sensor(config-rul)#
overrides request-block-host