Filter
Top Products
39-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring Event Action Filters
• Stop on Match—Whether to define this filter rule as a stop rule. This setting determines how the
remaining rules in the event action filter rules table are processed:
–
If you select this option, and an event meets the conditions of the rule, this rule is the final rule
tested for the event. The actions identified by this rule are removed from the event, and the
device moves on to perform all remaining actions assigned to the event.
–
If you do not select this option, then events that meet the conditions of this filter rule are also
compared to subsequent rules in the event actions filters table. Subsequent rules are tested until
either all rules are tested, or the event matches a stop rule.
Click OK when you are finished defining your filter rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. Ensure that stop rules are placed after other rules that
you want applied prior to the stop.
Tips for Managing Event Action Filter Rules
Following are some tips that might help you effectively manage your event action filter rules:
• Disabled rules are shown with hash marks covering the table row. To change the enabled/disabled
status of a rule, right click the rule and select Enable or Disable as appropriate. You can also change
the status when editing the rule.
Disabling a rule is useful if you want to stop using the rule, but you might want to start using it again
in the future. Disabled rules remain in the table so that you do not need to recreate them.
• For existing rules, you can edit most of the fields directly from the event actions filter rules table by
right-clicking the cell and selecting the appropriate Edit command from the top portion of the
context menu. For example, you can right click the Attacker Ports cell and select Edit Attacker
Ports.
Many of these right-click commands open a version of the Edit Filter Item dialog box that contains
only the selected property. Other commands simply change a value, or open a sub-menu from which
you can select a value to add or remove. For example, right-clicking the Action cell provides four
commands:
–
Add to Actions—Select from a list of actions to add to those already defined in the rule.
–
Delete from Actions—Select from a list of actions defined in the rule to remove from the rule.
–
Replace Actions With—Select from a list the action that you want to completely replace those
defined in the rule.
–
Edit Actions—Opens a dialog box where you can select all actions for the rule. Your selection
replaces the cell contents.
• Although filter rules are configured as an ordered list, the rules are not processed as a “first match
wins” list, even through they are processed and applied top to bottom. Instead, each rule has a Stop
property: the rule is either a stop rule or it is not a stop rule. Processing ends only if an event matches
a stop rule. If an event matches a non-stop rule, the event is compared to subsequent filter rules.
Thus, more than one filter rule can apply to an event. If you decide to create stop rules, ensure that
you place them below all other rules that you want processed for an event.
If you define no stop rules, each event is compared to all filter rules, and all matching rules are
applied to the event in top-to-bottom order.