Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1940
Views
0
Helpful
4
Replies

what is difference between signature action and rules action

teymur azimov
Level 1
Level 1

‎07-25-2011 03:16 AM - edited ‎03-10-2019 05:25 AM

Hi. i do not understand the what is diffrence between  the signature action and rules action. when we create the risk rating and give some action and then apply this risk rating (fore example high risk medim low) TO ALL SIGNATURE . yes? Also we edit some action at each signature. so what is difference between signature action and risk rating action. when signature action used and when risk rating action used? is it the same? if it is not the same how they work?? so please explain me.

Labels:
0 Helpful
4 Replies 4

Dustin Ralich
Cisco Employee
Cisco Employee

‎07-25-2011 10:14 AM

Actions (whether by individual signatures or by Event Action Overrides) do not immediately occur. The concept of an Action "queue" helps make sense of the path an Action "takes" from initial request to actual invocation. Figure 7-1 (Signature Event Through Signature Event Action Processor) of this document helps clarify.

Long story, short: Actions specified by individual signatures get "queued" to take affect whenever the signature fires, EAOs (Event Action Overrides) can add their Action(s) to the queue if the Risk Rating of the signature fire is matched, and EAFs (Event Action Filters) can subtract Actions from the queue if their specifications are met. Whatever Action is left (if any Action is left) occurs.

And, yes, EAOs apply to all signatures (based solely on the calculated Risk Rating for each signature fire).

0 Helpful

teymur azimov
Level 1
Level 1
In response to Dustin Ralich

‎07-26-2011 12:58 AM

thansk you to reply me.for example one attack to my inside network  and ips for example signature 2950 deny the attacker.

how is process going?

0 Helpful

teymur azimov
Level 1
Level 1
In response to teymur azimov

‎07-26-2011 01:25 AM

The risk rating is associated with alerts not signatures.

0 Helpful

Dustin Ralich
Cisco Employee
Cisco Employee
In response to teymur azimov

‎07-27-2011 05:24 AM 

 The risk rating is associated with alerts not signatures.

Correct (somewhat)... the Calculated Risk Rating is associated with Alerts (signature fire events). The Base Risk Rating (displayed in the Signature Policy section of IDM/IME) is associated with individual signatures.

The Calculated Risk Rating is what is used by EAOs (Event Action Overrides) and is determined by a formula, detailed by Figure 7-2 (Risk Rating Formula) of the Configuration Guide.

The Base Risk Rating is (if I recall correctly) calculated by multiplying the Signature Fidelity Rating (SFR) and the Attack Severity Rating (ASR) of a signature and dividing the total by 100 (SFR * ASR / 100).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card