Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
2
Replies

How to change default action "alarm" for all signatures ?

tobiaseichner
Level 1
Level 1

‎07-30-2009 01:18 PM - edited ‎03-10-2019 04:43 AM

My question belongs to a Cisco 1712 (128 MB, IOS 12.3T, SDM 2.5 installed):

I'm trying to change the default action "alarm" to "alarm,reset,drop" for all signatures of my custom set.

However doing so via SDM fails. First, it appears as being done correctly, but after compiling the signatures again, the default values are back there (in the same sense, I was unable to delete signatures, works just using the CLI).

I followed the instructions at cisco.com:

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

However ip ips signature-definition is not understood by the router, so the procedure fails.

Can you please assist me ?

Labels:
0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎08-05-2009 08:42 AM

You can use IOS command-line interface (CLI) to change signature actions for one signature or a group of signatures based on signature categories. The following example shows how to change signature action to alert, drop and reset for signature 6130 with subsig ID of 10.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip ips signature-definition

router(config-sigdef)#signature 6130 10

router(config-sigdef-sig)#engine

router(config-sigdef-sig-engine)#event-action produce-alert

router(config-sigdef-sig-engine)#event-action deny-packet-inline

router(config-sigdef-sig-engine)#event-action reset-tcp-connection

router(config-sigdef-sig-engine)#exit

router(config-sigdef-sig)#exit

router(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

router(config)#

0 Helpful

tobiaseichner
Level 1
Level 1
In response to vmoopeung

‎08-06-2009 12:22 AM

Hi vmoopeung, I really appreciate your help.

But what you describe is exactly the problem I'm facing with. The procedure doesn't work on IOS 12.3T, it requires (if I correctly remember) 12.4. at least.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card