Understanding the IPS Event Action Process
The IPS event action rules dictate the actions that the sensor performs when an event occurs. Although each signature is configured with specific actions that should be taken, the actual actions performed also depend on other factors.
Following is the general process that occurs when inspection identifies a signature event:
-
A signature alert occurs with actions specified by the signature. A risk rating for the alert is calculated.
For a detailed explanation of how risk rating is calculated, see Calculating the Risk Rating in Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 on Cisco.com.
You can influence risk ratings by configuring target value ratings and OS mappings; see Configuring IPS Event Action Network Information.
-
The Event Action Overrides policy is processed. If the risk rating of the event matches an override rule, the actions identified in the override rule are added to the actions defined in the signature. The overrides do not replace the actions specified in the signature.
For information on configuring overrides, see Configuring Event Action Overrides.
-
The Event Action Filters policy is processed. If rules apply to the event, the rules subtract actions from the event. Thus, an action you added in a signature policy or override rule might be removed by one of your filter rules.
For information on creating filter rules, see Configuring Event Action Filters.
-
Event summarization occurs, unless you turn off the summarization feature as described in Configuring Settings for Event Actions.
-
The actions are performed. For an explanation of possible actions, see Edit, Add, Replace Action Dialog Boxes.
-
A list of denied attackers is maintained, and subsequent access prevented, based on configurable settings. To change the default settings, see Configuring Settings for Event Actions.