Cisco Cisco Network-Based Intrusion Detection System 문제 해결 가이드
Tune the IPS for False Positive Prevention Using
Event Action Filter
Event Action Filter
Document ID: 113575
Contributed by Aastha Chaudhary, Cisco TAC Engineer.
Jul 06, 2012
Jul 06, 2012
Contents
Introduction
Before You Begin
Requirements
Components Used
Conventions
Understanding EAFs
Configuration
Related Information
Before You Begin
Requirements
Components Used
Conventions
Understanding EAFs
Configuration
Related Information
Introduction
This document provides the steps required in order to tune the Intrusion Prevention System (IPS) for False
Positive Prevention using IPS Device Manager (IDM) or IPS Manager Express (IME). False positive tuning
on IPS is achieved by a feature called Event Action Filter (EAF).
Positive Prevention using IPS Device Manager (IDM) or IPS Manager Express (IME). False positive tuning
on IPS is achieved by a feature called Event Action Filter (EAF).
Before You Begin
Requirements
Readers of this document should have knowledge of the Cisco IPS.
Components Used
The information in this document is not based on specific hardware and software versions.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Understanding EAFs
EAFs are configured primarily for false positive tuning. EAF provides the ability to have a particular
signature not take desired actions for a subset of traffic.
signature not take desired actions for a subset of traffic.
EAFs are useful in situations where it is required to satisfy multiple conditions, such as:
Signature x does not take actions y for a desired subnet of traffic.
•
Signature x takes actions y for all other traffic.
•
EAFs are useful in dealing with the benign triggering of a signature.