https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418495#M68100 <HTML><HEAD></HEAD><BODY><P>Hello</P><P><BR />I also miss syslog in Cisco IPS. But your problem is solvable. You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need). Value "Informational" is not risk value, it is severity (only one part of risk value).</P><P>Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.</P></BODY></HTML> Mon, 25 Jan 2010 07:32:35 GMT jan.odzgan 2010-01-25T07:32:35Z https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418494#M68099 <P>Hi,</P><P></P><P>My question concerns the way to send SNMP traps as an alert format.</P><P></P><P>I am totally aware that the AIP-SSM/IPS 4200 does not support syslog as an alert format.</P><P></P><P>The default method is through SDEE but I really don't want to use MARS to get my security events (I have more than 10 devices so don't think about IME <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN>)</P><P></P><P>I'e read that I have to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.</P><P></P><P>So is this correct?:</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/0/3/8/2830-snmp-1.png" alt="snmp-1.png" class="jive-image" /></P><P></P><P>Is it possible to enable it "globally"? For example for all signatures with a level higher than informational? Is it done with this option? :</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/3/8/2831-snmp-2.png" alt="snmp-2.png" class="jive-image-thumbnail jive-image" height="553" onclick="" width="518" /></P><P></P><P>what is the first action "deny packet inline"? Is it really done because I am using the AIP-SSM in promiscuous mode...</P><P></P><P>Thanks a lot!</P> Sun, 10 Mar 2019 11:52:18 GMT https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418494#M68099 jacques_henry696 2019-03-10T11:52:18Z https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418495#M68100 <HTML><HEAD></HEAD><BODY><P>Hello</P><P><BR />I also miss syslog in Cisco IPS. But your problem is solvable. You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need). Value "Informational" is not risk value, it is severity (only one part of risk value).</P><P>Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.</P></BODY></HTML> Mon, 25 Jan 2010 07:32:35 GMT https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418495#M68100 jan.odzgan 2010-01-25T07:32:35Z https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418496#M68101 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need).</PRE><P></P><P>When you're talking about the "Event Action Overrides", are you referring to the second screenshot I've posted? In this configuration, all enabled signatures should trigger a SNMP trap, right? (even if I didn't set the "request SNMP trap" option in all signatures?)</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.</P></PRE><P></P><P>Yes that's what I thought. But this action (Deny packet inline) is not removable from the HIGHRISK. So it is not taken into account when using the IPS in promicuous mode?</P><P></P><P>Thanks,</P><P></P><P>Regards.</P></BODY></HTML> Wed, 27 Jan 2010 11:49:42 GMT https://community.cisco.com/t5/network-security/ips-snmp-alarms/m-p/1418496#M68101 jacques_henry696 2010-01-27T11:49:42Z