39-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring Event Action Filters
Related Topics
Configuring Event Action Filters, page 39-4
Configuring Event Action Overrides, page 39-13
Configuring Signatures, page 38-4
Configuring Event Action Filters
You can configure event action filters to remove specific actions from an event or to discard an entire
event and prevent further processing by the sensor.
Filters let the sensor perform certain actions in response to the event without requiring the sensor to
perform all actions or remove the entire event. Filters work by removing actions from an event. A filter
that removes all actions from an event effectively consumes the event. Before configuring filter rules,
read Tips for Managing Event Action Filter Rules, page 39-6.
Note When filtering sweep signatures, we recommend that you do not filter the destination addresses. If there
are multiple destination addresses, only the last address is used for matching the filter.
Product Alert Writes the event to the Event Store as an alert. For Cisco IOS IPS
devices, the notification is sent through syslog or SDEE.
Note A Produce Alert event action is added for an event when global
correlation has increased the risk rating of an event, and has
added either the Deny Packet Inline or Deny Attacker Inline
event action.
Produce Verbose Alert Includes an encoded dump of the offending packet in the alert. This
action causes an alert to be written to the Event Store, even if Produce
Alert is not selected.
Request Block Connection Sends a request to block this connection. You must have blocking
devices configured to implement this action. For more information, see
Configuring IPS Blocking and Rate Limiting, page 42-7.
Request Block Host Sends a request to block this attacker host. You must have blocking
devices configured to implement this action.
Request Rate Limit Sends a rate limit request to perform rate limiting. You must have rate
limiting devices configured to implement this action.
Request SNMP Trap Requests that the sensor send an SNMP trap notification to the
configured trap destinations. This action causes an alert to be written
even if Produce Alert is not selected. You must have SNMP configured
on the sensor for traps to actually be sent. For more information, see
Configuring SNMP, page35-8.
Reset TCP Connection Sends TCP resets to hijack and terminate the TCP flow, sending a reset
to both the source and destination addresses. Reset TCP Connection
works only on TCP signatures that analyze a single connection, for
example, half-open SYN attacks. It does not work for sweeps or floods.
Table39-1 IPS Event Actions (Continued)
Menu Command Description