6-10
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 6 Configuring Event Action Rules
Event Action Filters
Note
When filtering sweep signatures, we recommend that you do not filter the destination addresses. If there
are multiple destination addresses, only the last address is used for matching the filter.
Caution
Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.
Configuring Event Action Filters
You can configure event action filters to remove specific actions from an event or to discard an entire
event and prevent further processing by the sensor. You can use event action variables that you defined
to group addresses for your filters. For the procedure for configuring event action variables, see
Configuring Event Action Variables, page 6-5
.
Note
You must preface the variable with a dollar sign ($) to indicate that you are using a variable rather than
a string. Otherwise, you receive the
Bad source and destination
error.
Use the
filters
[
edit | insert | move] name1 [begin | end | inactive | before | after]
command in service
event action rules submode to set up event action filters.
To configure event action filters, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2
Enter event action rules submode:
sensor#
configure terminal
sensor(config)#
service event-action-rules rules0
Step 3
Create the filter name:
sensor(config-rul)#
filters insert name1 begin
Use
name1
,
name2
, and so forth to name your event action filters. Use the
begin | end | inactive | before
| after
keywords to specify where you want to insert the filter.
Step 4
Configure the values for this filter:
a.
Set the signature ID range:
sensor(config-rul-fil)#
signature-id-range 1000-1005
The default is 900 to 65535.
b.
Set the subsignature ID range:
sensor(config-rul-fil)#
subsignature-id-range 1-5
The default is 0 to 255.
c.
Set the attacker address range:
sensor(config-rul-fil)#
attacker-address-range 10.89.10.10-10.89.10.23
The default is 0.0.0.0 to 255.255.255.255.