cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
3
Replies

Event Action Override & Event Variables

adamgibs7
Level 6
Level 6

Hello Dears,

What i understand by Event Action Override is that the default action set with the signature will be overriden by the configuration we do in the event action override pane.

For Example:IF a signature is built with a medium risk rating to only produce alert, if so we want in event action override pane we can deny packet inline for the medium risk signatures ?? ???? please correct me if i m wrong.???  It is not good to turn deny packet inline for medium risk just for my understanding i m writing.

Question-2: Event Variable:

You can create event variables and then use those variables in event action filters. When you want to use the same value within multiple filters, use a variable. When you change the value of the variable, any filter that uses that variable is updated with the new value.

Where are these variables??????? where i can edit it.

3 Replies 3

rhermes
Level 7
Level 7

You can adjust a medium severity signature to drop packets. In fact several default signatures drop packets without any alert at all (packet out of order, I'm looking at you)

For using a variable, you need to look at the Event Action Filters:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1030749

- Bob

Hello Bob,

Question 1:

Thanks for answer 1 . But what i m tinking abt event action override is correct or wrong????

Question :2

I have read abt event variable, it is saying we can use in event action filters,But in event variable TAB we only specify the IP address,Name and Type. In event action filters i dont see any drop list button to pull these variables what we create in event variable tab.??????  Please clarify i m very much new to IPS.???

Hi,

1. Yes, you are correct regarding event action filters, you can change default actions specified in the signature.

2. When you want to use variable, enter $ in front of variable name. For example,

service event-action-rules rules0

variables ALL address 0.0.0.0-255.255.255.255
variables CWLMS address 192.168.1.10

filters edit CiscoWorks_ICMP
signature-id-range 2100
subsignature-id-range 0
attacker-address-range $CWLMS

victim-address-range $ALL
actions-to-remove deny-attacker-inline|deny-attacker-service-pair-inline|deny-attacker-victim-pair-inline|deny-packet-inline|deny-connection-inline|reset-tcp-connection|produce-alert|produce-verbose-alert
os-relevance relevant|not-relevant|unknown
exit

Review Cisco Networking for a $25 gift card