Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
39-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring Event Action Filters
Related Topics
Understanding the IPS Event Action Process, page 39-1
Step 1 Do one of the following to open the Event Action Filters policy:
(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector.
(Policy view, IPS appliances and service modules) Select IPS > Event Actions > Event Action
Filters, then select an existing policy or create a new one.
(Policy view, Cisco IOS IPS devices) Select IPS (Router) > Event Actions > Event Action Filters,
then select an existing policy or create a new one.
The table shows the existing filter rules organized into sections. The Local section is for rules defined
specifically for a selected device (in Device view). For shared or inherited policies, there are also
sections for mandatory and default rules. For more information about the contents of this policy, see
Event Action Filters Page, page 39-7.
Step 2 Select the row after which you want to create the filter rule and click the Add Row button or right-click
and select Add Row. This opens the Add Filter Item dialog box. For detailed information about the
options in this dialog box, see Filter Item Dialog Box, page 39-9.
Tips
If you do not select a row, the new rule is added at the end of the local scope.
You can also select an existing row and edit either the entire row (by clicking the Edit Row button)
or specific cells. To edit a specific cell, right-click the cell and select the Edit command related to
the cell from the top of the context menu.
You can delete a rule by selecting it and clicking the Delete Row button.
You can export the entire list of filter rules to a comma-separated values (CSV) file. Click Export
to File, navigate to an appropriate folder on the Security Manager server, change the file name if
you do not like the default name, and click Save.
Step 3 Configure the filter rule. Following are the highlights of what you typically need to configure. For
specific information on configuring the fields, and for information on fields not mentioned here, see
Filter Item Dialog Box, page 39-9.
Name—You must enter a name for the rule. Use a name that is meaningful to you.
Signature, Subsignature ID—If the filter should apply to all signatures, use the default values. If you
are targeting a specific signature, enter its signature and subsignature identifiers. You can obtain
these values by finding the signature in the Signatures policy (see Signatures Page, page 38-4).
Attacker and Victim Addresses and Ports—If the filter should apply no matter who is attacking, or
who is the victim, use the default values. If you are creating a filter specific to an attacker or victim,
update these fields to match the appropriate address and port.
Risk Rating—You are most likely to want to change this value. The filter is applied to events that
are within the minimum-maximum range you configure here. The default value, 0-100, will apply
the filter rule to all events. If you configure a specific signature ID, the rating applies only to events
for that signature (in which case the default risk rating might be acceptable).
For example, you might want to target only high-risk events, such as 90-100.
Actions to Subtract—Select the actions that you want to subtract from the event. Use Ctrl+click to
select more than one action. If you select an action that is not actually assigned to an event, the filter
rule essentially has no effect on the event. For more information about the actions, see Edit, Add,
Replace Action Dialog Boxes, page 38-8.