Active
Enabled
(Active does not apply to Cisco IOS IPS devices.)
|
Whether the filter rule is active and enabled. Active means that the filter has been put into the filter list and will take
effect on filtering events. The default is that the rule is both active and enabled, which means that the rule is used when
events are processed.
Tips
-
If a filter is active but not enabled, it will still be included in the ordering list; it will be processed, but it will not
be used.
-
If a filter is not active, then it will not be included at all in the ordering of the filters; it will not be processed at
all.
-
Disabled rules are shown in the event action filters table with cross-hatching.
|
Name
|
The name of the filter rule. The following characters are allowed in filter names:
a-z, A-Z, 0-9, -, . (dot or period), : (colon), and _ (underscore).
|
Signature IDs
|
The numerical signature IDs to which the filter rule applies. You can enter a single signature ID, a comma-separated list,
or a range of IDs. The default is to apply the rule to signatures in the range 900-65535.
|
SubSignature ID
|
The subsignature ID for the specified signature to which the filter rule applies. The subsignature ID identifies a more granular
version of a broad signature, but it is not used for all signatures.
Enter a subsignature ID appropriate for the signature ID you specified, or enter a range of subsignature IDs. The default
value is the range of 0-255.
|
Attacker IPv4 Address
|
The IP address of the host that sent the offending packet. You can specify a single host IP address, a range of addresses,
or the name of a network/host policy object that identifies the address or address range. Click Select to select a network/host object from a list or to create a new object.
Note
|
Do not create an IPv4 object and an IPv6 object with the same name; doing so leads to deployment failure.
|
The default value is a range of all IPv4 addresses (0.0.0.0-255.255.255.255).
|
Attacker IPv6 Address
|
The IP address of the host that sent the offending packet. You can specify a single host IP address, a range of addresses,
or the name of a network/host policy object that identifies the address or address range. Click Select to select a network/host object from a list or to create a new object.
Note
|
Do not create an IPv4 object and an IPv6 object with the same name; doing so leads to deployment failure.
|
The default value is a range of all IPv6 addresses (::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF).
|
Attacker Port
|
The port used by the attacker host. This is the port from which the offending packet originated. You can also enter a range
of ports.
The default value is a range of all ports (0-65535).
|
Victim IPv4 Address
|
The IP address of the host being attacked (the recipient of the offending packet). You can specify a single host IP address,
a range of addresses, or the name of a network/host policy object that identifies the address or address range. Click Select to select a network/host object from a list or to create a new object.
Note
|
Do not create an IPv4 object and an IPv6 object with the same name; doing so leads to deployment failure.
|
The default value is a range of all IPv4 addresses (0.0.0.0-255.255.255.255).
|
Victim IPv6 Address
|
The IP address of the host being attacked (the recipient of the offending packet). You can specify a single host IP address,
a range of addresses, or the name of a network/host policy object that identifies the address or address range. Click Select to select a network/host object from a list or to create a new object.
Note
|
Do not create an IPv4 object and an IPv6 object with the same name; doing so leads to deployment failure.
|
The default value is a range of all IPv6 addresses (::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF).
|
Victim Port
|
The port of the host being attacked (the recipient of the offending packet). This is the port to which the offending packet
was sent. You can also enter a range of ports.
The default value is a range of all ports (0-65535).
|
Risk Rating Min. and Max.
|
The risk rating range, between 0 and 100, that should be used to trigger this event action filter. The default value is the
complete range (0-100).
If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event is processed
against the rules of this event filter.
|
OS Relevance
|
Indicates whether the alert is relevant to the OS that has been identified for the victim. Possible values include one or
more of the following: Not Relevant, Relevant, Unknown. Use Ctrl+click to select multiple values. The default is all values
selected.
Note
|
OS Relevance is applicable only to appliances and service modules running IPS 6.x+ software. For Cisco IOS IPS devices, this
field is read-only and cannot be edited, and for IPS 5.x devices, this field is blank.
|
|
Comments
|
The user comments associated with this filter, such as an explanation of the purpose of the rule.
|
Actions to Subtract
|
The actions that should be removed from the event, should the conditions of the event meet the criteria of the event action
filter. You can select one or more actions in this list box. All selected actions are removed from the event. Use Ctrl+click
to select multiple values. For more information about the possible actions, see Edit, Add, Replace Action Dialog Boxes.
For IOS IPS devices, the possible values are restricted to the following:
-
Deny Attacker Inline blocks the attacker’s source IP address completely. No connection can be established from the attacker to the router until
the shun time expires. You can configure this time in the Event Actions Settings policy as described in Configuring Settings for Event Actions.
-
Deny Connection Inline
blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router.
-
Deny Packet Inline
discards the packet without sending a reset. Cisco recommends using “drop and reset” in conjunction with alarm.
-
Produce Alert
sends a notification about the attack through syslog or SDEE.
-
Reset TCP Connection
is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case
of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections.
|
% to Deny
|
The percentage of packets to deny for deny attacker features. The range is 0 to 100. The default is 100 percent.
Note
|
For IOS IPS devices, this field is read only and cannot be edited.
|
|
Stop on Match
|
Whether to define this filter rule as a stop rule. This setting determines how the remaining rules in the event action filter
rules table are processed:
-
If you select this option, and an event meets the conditions of the rule, this rule is the final rule tested for the event.
The actions identified by this rule are removed from the event, and the device moves on to perform all remaining actions assigned
to the event.
-
If you do not select this option, then events that meet the conditions of this filter rule are also compared to subsequent
rules in the event actions filters table. Subsequent rules are tested until either all rules are tested, or the event matches
a stop rule.
|