Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
CHAPTER
39-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
39
Configuring Event Action Rules
An IPS event is an IPS message that contains an alert, a block request, a status message, or an error
message. An event action is the sensor’s response to an event. An event action happens only if the event
is not filtered. Possible event actions are TCP reset, block host, block connection, IP logging, and
capturing the alert trigger packet. Event actions were known as alarms in Cisco IPS versions earlier than
5.x.
The IPS Event Actions folder is where you configure settings for the event action processing component
of the sensor. These settings define the actions for the sensor to take when an event is detected.
Note You cannot use IPv6 addresses in Event Action policies in Security Manager. For more information on
IPv6 support in Security Manager, see IPv6 Support in Security Manager, page 1-7.
This chapter contains the following topics:
Understanding the IPS Event Action Process, page 39-1
Understanding IPS Event Actions, page 39-2
Configuring Event Action Filters, page 39-4
Configuring Event Action Overrides, page 39-13
Configuring IPS Event Action Network Information, page 39-14
Configuring Settings for Event Actions, page 39-21
Understanding the IPS Event Action Process
The IPS event action rules dictate the actions that the sensor performs when an event occurs. Although
each signature is configured with specific actions that should be taken, the actual actions performed also
depend on other factors.
Following is the general process that occurs when inspection identifies a signature event:
1. A signature alert occurs with actions specified by the signature. A risk rating for the alert is
calculated.
For a detailed explanation of how risk rating is calculated, see Calculating the Risk Rating in
Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 on Cisco.com.
You can influence risk ratings by configuring target value ratings and OS mappings; see Configuring
IPS Event Action Network Information, page 39-14.