Cisco Cisco IPS 4255 Sensor Weißbuch
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 17 of 18
IPS Event Action Override
As explained in the previous sections of this document, Cisco IPS implements Watch Lists
primarily to highlight the activity of suspicious systems; and while Cisco Security Agent isolates the
hosts in the list the IPS does not enforce quarantine automatically. It is possible however to
combine the Watch List with one or more event action overrides to dynamically block hosts in the
list.
An event action override is a general rule that sets response actions for events with risk ratings
falling into specific ranges and that supersedes the actions defined at the signature level. As a
result of a Watch Lists the IPS increases the risk rating of the events triggered by the systems in
the list. An event action override can be configured to block the offending host once it triggers an
event exceeding a predefined threshold.
The event action override should be configured to block the attacker inline when the system is
configured in protection mode (IPS), and to block the host with a shunning when the system is
in promiscuous mode (IDS).
These concepts are illustrated in Figure 12.
Figure 12. Event Action Override Example
In Figure 12 three event action overrides are defined for an IPS configured in inline protection
mode. Network events triggering alarms with Risk Rating equal to 95 and higher will cause the
source host to be blocked inline by the IPS. Packets generating alarms with Risk Rating between