https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457001#M66710 <P>I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured.&nbsp; I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message.&nbsp; I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.</P><P></P><P>It's not a major issue, but I do find it kind of odd.&nbsp; Any ideas?</P><P></P><P>The IPS is an ASA-SSM-20 running 7.0(4)E4.</P> Sun, 10 Mar 2019 12:06:08 GMT terrygwazdosky 2019-03-10T12:06:08Z https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457001#M66710 <P>I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured.&nbsp; I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message.&nbsp; I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.</P><P></P><P>It's not a major issue, but I do find it kind of odd.&nbsp; Any ideas?</P><P></P><P>The IPS is an ASA-SSM-20 running 7.0(4)E4.</P> Sun, 10 Mar 2019 12:06:08 GMT https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457001#M66710 terrygwazdosky 2019-03-10T12:06:08Z https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457002#M66711 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>That's weird. Can you paste the details of the custom signature you have created?</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Mon, 23 Aug 2010 15:30:18 GMT https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457002#M66711 praprama 2010-08-23T15:30:18Z https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457003#M66713 <HTML><HEAD></HEAD><BODY><P>Here you go:</P><P></P><P>signatures 60000 0 <BR />alert-severity medium<BR />sig-fidelity-rating 75<BR />sig-description<BR />sig-name MS10-046<BR />sig-string-info .pif or .lnk file extension matching<BR /><SPAN>sig-comment </SPAN><A class="jive-link-external-small" href="http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx">http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx</A><BR />exit<BR />engine service-http<BR />event-action produce-alert|deny-packet-inline<BR />regex<BR />specify-uri-regex yes<BR />uri-regex \.([Ll][Nn][Kk]|[Pp][Ii][Ff])<BR />exit<BR />exit<BR />service-ports 80,8080<BR />exit<BR />event-counter<BR />event-count 1<BR />event-count-key Axxx<BR />specify-alert-interval no<BR />exit<BR />alert-frequency<BR />summary-mode fire-once<BR />exit</P></BODY></HTML> Mon, 23 Aug 2010 15:37:09 GMT https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457003#M66713 terrygwazdosky 2010-08-23T15:37:09Z https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457004#M66715 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'.&nbsp; This is by design of the software.</P><P><BR />Regards,<BR />Chris</P></BODY></HTML> Mon, 23 Aug 2010 15:43:49 GMT https://community.cisco.com/t5/network-security/actions-occuring-that-are-not-assigned/m-p/1457004#M66715 cvilleme 2010-08-23T15:43:49Z