Cisco Systems IPS4510K9 manual Event Action Rules Configuration Sequence

Chapter 8 Configuring Event Action Rules

Event Action Rules Configuration Sequence

When a deny-connection-inline occurs, the IPS also automatically sends a TCP one-way reset, which shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open connection on both the client (generally the attacker) and the server (generally the victim). Too many open connections can result in resource problems on the victim. So the IPS sends a TCP reset to the victim to close the connection on the victim side (usually the server), which conserves the resources of the victim. It also prevents a failover that would otherwise allow the connection to fail over to a different network path and reach the victim. The IPS leaves the attacker side open and denies all traffic from it.

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is selected. The IPS appliance sends a TCP reset packet only to the victim under the following circumstances:

•When a deny-packet-inline or deny-connection-inline is selected

•When TCP-based signatures and reset-tcp-connection have NOT been selected

In the case of the ASA IPS modules, the TCP reset request is sent to the ASA, and then the ASA sends the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the ASA to send the TCP reset packet to the attacker.

TCP Normalizer Signature Warning

You receive the following warning if you disable a default-enabled TCP Normalizer signature or remove a default-enabled modify packet inline, deny packet inline, or deny connection inline action:

Use caution when disabling, retiring, or changing the event action settings of a <Sig ID> TCP Normalizer signature for a sensor operating in IPS mode. The TCP Normalizer signature default values are essential for proper operation of the sensor.

If the sensor is seeing duplicate packets, consider assigning the traffic to multiple virtual sensors. If you are having problems with asymmetric or out-of-order TCP packets, consider changing the normalizer mode from strict evasion protection to asymmetric mode protection. Contact Cisco TAC if you require further assistance.

For More Information

•For procedure for configuring denied attackers, see Monitoring and Clearing the Denied Attackers List, page 8-36.

•For the procedure for configuring the general settings, see Configuring the General Settings, page 8-34.

•For the procedures for configuring blocking devices, see Chapter 14, “Configuring Attack Response Controller for Blocking and Rate Limiting.”

•For the procedures for configuring SNMP, see Chapter 15, “Configuring SNMP.”

Event Action Rules Configuration Sequence

Follow these steps when configuring the event action rules component of the IPS:

1.Create any variables that you want to use in event action filters.

2.Create target value ratings. Assign target value ratings to your network assets so that you can calculate the risk rating.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2