Cisco Cisco IPS 4255 Sensor 릴리즈 노트
6
Release Notes for Cisco Intrusion Prevention System 7.0(2)E3
OL-20115-01
Global Correlation and the Produce Alert Event Action
Global Correlation and the Produce Alert Event Action
A Produce Alert event action is added for an event under the following conditions:
•
Global correlation has increased the risk rating of an event.
•
Global correlation has added either the Deny Packet Inline or Deny Attacker Inline event action.
Adding the Produce Alert event action ensures that all events being denied by global correlation result
in alerts that you can view through your monitoring tool. This prevents global correlation from denying
events that you do not know about.
in alerts that you can view through your monitoring tool. This prevents global correlation from denying
events that you do not know about.
Note
This feature only applies to global correlation inspection where the traffic is allowed if no specific
signature is matched. It does not apply to reputation filtering where the packet is denied before signature
analysis, and no alerts are generated when packets are denied by reputation filtering.
signature is matched. It does not apply to reputation filtering where the packet is denied before signature
analysis, and no alerts are generated when packets are denied by reputation filtering.
For More Information
•
For more information on global correlation, for the CLI, refer to
,
for the IDM refer to
, and for the IME refer to
•
For more information on event actions, refer to
Component Signatures With Risk Rating Set to 0
Component signatures are not independent signatures, they are pieces of a Meta signature. The Signature
Type option is marked as Component. Since these signatures are not independent signatures, the risk
rating when triggered is automatically set to 0. The risk rating is applicable to the Meta signature rather
than the component signatures. This prevents the component signatures from causing denial of packets
by either event action overrides or global correlation. Event action overrides and global correlation are
applied against the Meta signature rather than the component signature.
Type option is marked as Component. Since these signatures are not independent signatures, the risk
rating when triggered is automatically set to 0. The risk rating is applicable to the Meta signature rather
than the component signatures. This prevents the component signatures from causing denial of packets
by either event action overrides or global correlation. Event action overrides and global correlation are
applied against the Meta signature rather than the component signature.
Note
Some component signatures in the Meta signatures are valuable as both independent signatures and
component signatures. These signatures are not marked as Signature Type Component and instead are
marked with the Signature Type set to either Vulnerability, Exploit, Anomaly, or Other. The risk rating
for these signatures is calculated and is not set to 0.
component signatures. These signatures are not marked as Signature Type Component and instead are
marked with the Signature Type set to either Vulnerability, Exploit, Anomaly, or Other. The risk rating
for these signatures is calculated and is not set to 0.
For More Information
•
For more information on the Meta signature engine, refer to
•
For more information on configuring Meta signatures, refer to
•
For more information on risk rating, refer to
.
Configuring Appliances for UDLD Support
UniDirectional Link Detection (UDLD) is a protocol that Cisco switches use to prevent spanning-tree
forwarding loops and to prevent single direction links in switched networks. IPS appliances configured
in inline VLAN pair mode are now able to respond to UDLD packets received from the switch. You can
forwarding loops and to prevent single direction links in switched networks. IPS appliances configured
in inline VLAN pair mode are now able to respond to UDLD packets received from the switch. You can