User manual

8-21
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 8 Configuring Event Action Rules
Configuring Event Action Filters
Caution
Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.
Configuring Event Action Filters
Note
Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.
For global correlation inspection, the sensor does not receive or process reputation data for IPv6
addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,
network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6
addresses do not appear in the deny list.
Note
Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or
rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried
out.
You can configure event action filters to remove specific actions from an event or to discard an entire
event and prevent further processing by the sensor. You can use event action variables that you defined
to group addresses for your filters.
Note
You must preface the event variable with a dollar sign ($) to indicate that you are using a variable rather
than a string. Otherwise, you receive the
Bad source and destination
error.
Use the filters {edit | insert | move] name1 [begin | end | inactive | before | after} command in service
event action rules submode to set up event action filters.
The following options apply:
actions-to-remove—Specifies the event actions to remove for this filter item.
attacker-address-range—Specifies the range set of IPv4 attacker address(es) for this item (for
example, 192.0.2.0-192.0.2.254,192.3.2.0-192.3.2.254).
Note
The second IP address in the range must be greater then or equal to the first IP address. If
you do not specify an attacker address range, all IPv4 attacker addresses are matched.
attacker-port-range—Specifies the range set of attacker port(s) for this item (for example,
147-147,8000-10000).
default—Sets the value back to the system default setting.
deny-attacker-percentage—Specifies the percentage of packets to deny for deny attacker features.
The valid range is 0 to 100. The default is 100.
filter-item-status {enabled | disabled}—Enables or disables the use of this filter item.