04-22-2011 02:19 PM - edited 03-10-2019 05:20 AM
Hello Dears,
What i understand by Event Action Override is that the default action set with the signature will be overriden by the configuration we do in the event action override pane.
For Example:IF a signature is built with a medium risk rating to only produce alert, if so we want in event action override pane we can deny packet inline for the medium risk signatures ?? ???? please correct me if i m wrong.??? It is not good to turn deny packet inline for medium risk just for my understanding i m writing.
Question-2: Event Variable:
You can create event variables and then use those variables in event action filters. When you want to use the same value within multiple filters, use a variable. When you change the value of the variable, any filter that uses that variable is updated with the new value.
Where are these variables??????? where i can edit it.
04-25-2011 02:05 PM
You can adjust a medium severity signature to drop packets. In fact several default signatures drop packets without any alert at all (packet out of order, I'm looking at you)
For using a variable, you need to look at the Event Action Filters:
- Bob
04-28-2011 02:33 PM
Hello Bob,
Question 1:
Thanks for answer 1 . But what i m tinking abt event action override is correct or wrong????
Question :2
I have read abt event variable, it is saying we can use in event action filters,But in event variable TAB we only specify the IP address,Name and Type. In event action filters i dont see any drop list button to pull these variables what we create in event variable tab.?????? Please clarify i m very much new to IPS.???
04-30-2011 12:15 PM
Hi,
1. Yes, you are correct regarding event action filters, you can change default actions specified in the signature.
2. When you want to use variable, enter $ in front of variable name. For example,
service event-action-rules rules0
variables ALL address 0.0.0.0-255.255.255.255
variables CWLMS address 192.168.1.10
filters edit CiscoWorks_ICMP
signature-id-range 2100
subsignature-id-range 0
attacker-address-range $CWLMS
victim-address-range $ALL
actions-to-remove deny-attacker-inline|deny-attacker-service-pair-inline|deny-attacker-victim-pair-inline|deny-packet-inline|deny-connection-inline|reset-tcp-connection|produce-alert|produce-verbose-alert
os-relevance relevant|not-relevant|unknown
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide