Cisco Systems CL-28826-01

39-11

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter3 9 Configuring Event Action Rules

Configuring Event Action Filters

Attacker Port The port used by the attacker host. This is the port from which the

offending packet originated. You can also enter a range of ports.

The default value is a range of all ports (0-65535).

Victim IPv4 Address The IP address of the host being attacked (the recipient of the offending

packet). You can specify a single host IP address, a range of addresses,

or the name of a network/host policy object that identifies the address

or address range. Click Select to select a network/host object from a list

or to create a new object.

Note Do not create an IPv4 object and an IPv6 object with the same

name; doing so leads to deployment failure.

The default value is a range of all IPv4 addresses

(0.0.0.0-255.255.255.255).

Victim IPv6 Address The IP address of the host being attacked (the recipient of the offending

packet). You can specify a single host IP address, a range of addresses,

or the name of a network/host policy object that identifies the address

or address range. Click Select to select a network/host object from a list

or to create a new object.

Note Do not create an IPv4 object and an IPv6 object with the same

name; doing so leads to deployment failure.

The default value is a range of all IPv6 addresses

(::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF).

Victim Port The port of the host being attacked (the recipient of the offending

packet). This is the port to which the offending packet was sent. You

can also enter a range of ports.

The default value is a range of all ports (0-65535).

Risk Rating Min. and Max. The risk rating range, between 0 and 100, that should be used to trigger

this event action filter. The default value is the complete range (0-100).

If an event occurs with a risk rating that falls within the

minimum-maximum range you configure here, the event is processed

against the rules of this event filter.

OS Relevance Indicates whether the alert is relevant to the OS that has been identified

for the victim. Possible values include one or more of the following:

Not Relevant, Relevant, Unknown. Use Ctrl+click to select multiple

values. The default is all values selected.

Note OS Relevance is applicable only to appliances and service

modules running IPS 6.x+ software. For Cisco IOS IPS devices,

this field is read-only and cannot be edited, and for IPS 5.x

devices, this field is blank.

Comments The user comments associated with this filter, such as an explanation of

the purpose of the rule.

Table39-3 Filter Item Dialog Box (Continued)

Element Description