Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
1
Replies

Signature IPS: Action based on detected signature

msngodmsngod
Level 1
Level 1

‎09-26-2011 12:53 AM - edited ‎03-10-2019 05:29 AM

Hi,

I am configuring a IPS sensor (NME-IPS-K9 module on a Cisco 2900 series router).

In Cisco IPS Device Manager Configurations --> Policies --> IPS Policies you can assing IPS policies (LowRis, MediumRisk and HIGHRisk) to the virtusl Sensor under the colom Event Action Override Policys.

I am wondering when IPS detected a potential threat is the sensor taking actions according Policies defined under the Event Action Override policy or the Event Action which is defined under the signatures? (Configuration > Policies > Signature Definitions > Sig0 > *)

Thanks in advance for your reply!

Labels:
0 Helpful
1 Reply 1

Dustin Ralich
Cisco Employee
Cisco Employee

‎10-10-2011 07:57 AM 

I am wondering when IPS detected a potential threat is the sensor taking actions according Policies defined under the Event Action Override policy or the Event Action which is defined under the signatures? (Configuration > Policies > Signature Definitions > Sig0 > *)

The Action(s) configured for the Signature that fired/triggered is "queued" to take effect. If an EAO (Event Action Override) matches, then the Action(s) configured for it is added to the queue. Then, if an EAF (Event Action Filter) matches, the Action(s) configured for it is subtracted from the queue. Whatever Action(s) remains (if any) then occurs.

References:

-SEAP (Signature Event Action Processor)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card