Solved: Re: Modify action from "ZERO" to "Shunhost"

meether · ‎09-30-2003

Hello,

I can't modify action for some alarms from "ZERO" to "Shunhost" ex: alarm 3216 (www directory traversal ../..).

I try with alarm 3215 (iis dot dot execute bug) and it's ok.

I don't understand why.

Could someone help me please ?

Regards

Eric

marcabal · ‎12-01-2003

Place a "|" between the 2 actions.

For example:

EventAction reset|shunhost

NOTE: No spaces between the actions and the "|".

View solution in original post

jlively · ‎09-30-2003

What method are you using to try to modify the actions? (IDM, cli, MC ) What version are you running on the sensor (3.1(4) 4.0, 4.1)?

meether · ‎09-30-2003

Sorry, I forgot some informations.

I use "IDS Device Manager, Version 4.1(1)S50".

I don't know how to do with cli.

jlively · ‎10-01-2003

I tried this on my sensor using IDM and it worked fine. Try it with the cli:

1. Log in as cisco

2. conf t

3. service virtual-sensor-configuration virtualSensor

4. tune

5. service.http

6. sig sig 3216 sub 0

7. eventaction (whatever you want shunhost for example)

8. exit back out until you get to the "save changes" prompt. Enter yes.

9. Wait until you get the prompt back

you should be back at the "config" prompt. You will still need to wait for sensorapp to finish starting. You can keep trying "int group 0" command until it stops reporting an error. Then you know it is up. Then just exit back out.

Check it again with idm. See if it shows the proper action for sig 3216.

meether · ‎10-02-2003

thanks

it works...

regards

meether · ‎11-27-2003

Hi,

I would like to change event action from anything to reset AND shunhost with CLI.

How can I do this ?