39-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Understanding IPS Event Actions
2. The Event Action Overrides policy is processed. If the risk rating of the event matches an override
rule, the actions identified in the override rule are added to the actions defined in the signature. The
overrides do not replace the actions specified in the signature.
For information on configuring overrides, see Configuring Event Action Overrides, page 39-13.
3. The Event Action Filters policy is processed. If rules apply to the event, the rules subtract actions
from the event. Thus, an action you added in a signature policy or override rule might be removed
by one of your filter rules.
For information on creating filter rules, see Configuring Event Action Filters, page 39-4.
4. Event summarization occurs, unless you turn off the summarization feature as described in
Configuring Settings for Event Actions, page 39-21.
5. The actions are performed. For an explanation of possible actions, see Edit, Add, Replace Action
Dialog Boxes, page 38-8.
6. A list of denied attackers is maintained, and subsequent access prevented, based on configurable
settings. To change the default settings, see Configuring Settings for Event Actions, page 39-21.
Understanding IPS Event Actions
When you configure an event action filter or override, or a signature, you specify an action for events
that meet the rule. For signatures and overrides, you are specifying an action to add to the event; for
filters, you are specifying an action to remove from the event.
The most common action is Produce Alert, which generates an alert that you can view in your network
management system, such as the Security Manager Event Viewer or CS MARS. However, there are a
wide variety of actions that you can assign to an event. When looking over the possible actions, keep the
following in mind:
• Many actions produce alerts in addition to the other action performed. The description for each
action explains whether an alert is also produced.
• Cisco IOS IPS supports fewer actions for event action override or filter rules. The actions supported
are Deny Attacker Inline, Deny Connection Inline, Deny Packet Inline, Product Alert, and Reset
TCP Connection.
• Not all actions are necessarily available on all combinations of IPS software version and device type.
Whenever you need to select an action, only those actions that are valid are available for selection.
• For deny and block actions, use the event actions settings policy to set the period of time for which
addresses or packets are denied. For more information, see Configuring Settings for Event Actions,
page 39-21.
The following table explains the possible actions.