Filter
Top Products
39-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Understanding IPS Event Actions
Table 39-1 IPS Event Actions
Menu Command Description
Deny Attacker Inline Terminates the current packet and future packets from this attacker
address for a specified period of time.
The IPS must be operating in inline mode.
For Cisco IOS IPS devices, no connection can be established from the
attacker to the router until the shun time expires.
Tip This is the most severe of the deny actions. It denies current and
future packets from a single attacker address. For IPS
appliances and service modules, you can use the IPS Device
Manager to see a list of denied attackers and clear the list if
necessary.
Deny Attacker/Service Pair
Inline
Does not transmit this packet and future packets on the attacker address
victim port pair for a specified period of time.
The IPS must be operating in inline mode.
Deny Attacker/Victim Pair
Inline
Does not transmit this packet and future packets on the attacker/victim
address pair for a specified period of time.
The IPS must be operating in inline mode.
Deny Connection Inline Terminates the current packet and future packets on this TCP flow.
Other connections from the attacker can be established.
The IPS must be operating in inline mode.
Deny Packet Inline Terminates the packet.
The IPS must be operating in inline mode.
For Cisco IOS IPS devices, this action discards the packet without
sending a reset. Cisco recommends using “drop and reset” in
conjunction with alarm.
Tip For IPS appliances and service modules, there is an event action
override that adds this action to high risk events. You cannot
delete the override. If you do not want to use it, disable the
override. For more information, see Configuring Event Action
Overrides, page 39-13.
Log Attacker Packets Starts IP logging on packets that contain the attacker address and sends
an alert. This action causes an alert to be written to the Event Store,
even if Produce Alert is not selected.
Log Pair Packets Starts IP Logging on packets that contain the attacker/victim address
pair. This action causes an alert to be written to the Event Store, even if
Produce Alert is not selected.
Log Victim Packets Starts IP Logging on packets that contain the victim address and sends
an alert. This action causes an alert to be written to the Event Store,
even if Produce Alert is not selected.
Modify Packet Inline Modifies packet data to remove ambiguity about what the endpoint
might do with the packet.
Tip This option is not available for event action override or filter
rules. It is available in signatures.