27-31
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter27 Cisco IOS IPS
Edit IPS
Discard Changes
If you want to clear information that you have entered in the Event Action
Overrides window but have not sent to the router, click Discard Changes. The
Discard Changes button is disabled when there are no changes made that are
awaiting delivery to the router.
Add or Edit an Event Action Override
To add an event action override, choose the event action, enable or disable it, and
specify the RR range. If you are editing, you cannot change the event action.

Event Action

Choose one of the following event actions:
Deny Attacker InlineDoes not transmit this packet and future packets from
the attacker address for a specified period of time (inline only).
Deny Connection InlineDoes not transmit this packet and future packets on
the TCP Flow (inline only)
Deny Packet InlineDoes not transmit this packet.
Produce AlertWrites an <evIdsAlert> to the log.
Reset TCP ConnectionSends TCP resets to hijack and terminate the TCP
flow.

Enabled

Click Yes to enable the event action override, or No to disable it. You can also
enable and disable event action overrides in the Event Action Override window.

Risk Rating

Enter the lower bound of the RR range in the Min box, and the uppe r bound of the
range in the Max box. When the RR value of an event falls within the range that
you specify, Cisco IOS IPS adds the override specified by the Event Action. For
example, if Deny Connection Inline is assigned a RR range o f 90-100, and an
event with an RR of 95 occurs, Cisco IOS IPS responds by denying the connection
inline.