Re: Event action overides

cef2lion2 · ‎07-31-2009

Using a 4255 running 7.X code inline. I was looking at an event. The sig in question was to notify only but the action listed said the event was blocked. It appears the event action overide was doing that.

How does the event action overide work with a sig thats action isn't to block?

Is there a means to provide known excepts to enabled sigs. Coming from a different platform to the 4255 and learning the interface.

Craig

marcabal · ‎07-31-2009

There are 3 ways that an event action can be added to a signature.

1) The event action is configured on the signature itself.

Either the action is configured as a default action on the signature, or the user has added the action by tuning the signature.

2) Event Action Override is configured to add the event action.

Event Action Overrides are not signature specific. Instead they are checked against all events. If the Risk Rating of the event is within the Range for the override then the event action is added to the event. NOTE: If the event action was already added directly to the sig, then the event action won't add it again since it already is on the event. It only adds the action to events where the action was not already configured on the signature itself.

There is a default event action override for the DenyPacketInLine event action for events with a Risk Rating from 90-100.

Users can modify the default event-action-override or even disable it, and can add their own event-action-overrides.

3) An action can also be added by the Global-Correlation feature when the attacker address has a Negative Reputation. (only in version 7.0 and higher).

To remove or prevent an action for a signature you create Event action Filters.

You designate the sigId and what Event Actions you want to be removed for those events. It can remove actions no matter which method above added the action.