C-21
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix C Troubleshooting
Troubleshooting the 4200 Series Appliance
Blocking Not Occurring for a Signature
If blocking is not occurring for a specific signature, check that the event action is set to block the host.
To make sure blocking is occurring for a specific signature, follow these steps:
Step 1
Log in to the CLI.
Step 2
Enter signature definition submode:
sensor#
configure terminal
sensor(config)#
service signature-definition sig0
sensor(config-sig)#
Step 3
Make sure the event action is set to block the host:
Note
If you want to receive alerts, you must always add
produce-alert
any time you configure the
event actions.
sensor(config-sig)#
signatures 1300 0
sensor(config-sig-sig)#
engine normalizer
sensor(config-sig-sig-nor)#
event-action produce-alert|request-block-host
sensor(config-sig-sig-nor)#
show settings
normalizer
-----------------------------------------------
event-action: produce-alert|request-block-host default: produce-alert|deny
-connection-inline
edit-default-sigs-only
-----------------------------------------------
default-signatures-only
-----------------------------------------------
specify-service-ports
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-tcp-max-mss
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-tcp-min-mss
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
--MORE--
Step 4
Exit signature definition submode:
sensor(config-sig-sig-nor)#
exit
sensor(config-sig-sig)#
exit
sensor(config-sig)#
exit
Apply Changes:?[yes]:
Step 5
Press
Enter
to apply the changes or type
no
to discard them.