Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

39-12

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 39 Configuring Event Action Rules

Configuring Event Action Filters

Actions to Subtract The actions that should be removed from the event, should the

conditions of the event meet the criteria of the event action filter. You

can select one or more actions in this list box. All selected actions are

removed from the event. Use Ctrl+click to select multiple values. For

more information about the possible actions, see Edit, Add, Replace

Action Dialog Boxes, page 38-8.

For IOS IPS devices, the possible values are restricted to the following:

• Deny Attacker Inline blocks the attacker’s source IP address

completely. No connection can be established from the attacker to

the router until the shun time expires. You can configure this time

in the Event Actions Settings policy as described in Configuring

Settings for Event Actions, page 39-21.

• Deny Connection Inline blocks the appropriate TCP flow from the

attacker. Other connections from the attacker can be established to

the router.

• Deny Packet Inline discards the packet without sending a reset.

Cisco recommends using “drop and reset” in conjunction with

alarm.

• Produce Alert sends a notification about the attack through syslog

or SDEE.

• Reset TCP Connection is effective for TCP-based connections and

sends a reset to both the source and destination addresses. For

example, in case of a half-open SYN attack, Cisco IOS IPS can

reset the TCP connections.

% to Deny The percentage of packets to deny for deny attacker features. The range

is 0 to 100. The default is 100 percent.

Note For IOS IPS devices, this field is read only and cannot be

edited.

Stop on Match Whether to define this filter rule as a stop rule. This setting determines

how the remaining rules in the event action filter rules table are

processed:

• If you select this option, and an event meets the conditions of the

rule, this rule is the final rule tested for the event. The actions

identified by this rule are removed from the event, and the device

moves on to perform all remaining actions assigned to the event.

• If you do not select this option, then events that meet the conditions

of this filter rule are also compared to subsequent rules in the event

actions filters table. Subsequent rules are tested until either all

rules are tested, or the event matches a stop rule.

Table 39-3 Filter Item Dialog Box (Continued)

Element Description

previous next