User Guide for Cisco Security Manager 4.4
Chapter 39 Configuring Event Action Rules
Configuring Settings for Event Actions
Configuring Settings for Event Actions
Use the Event Actions Settings policy to configure general settings that apply globally to event action
rules. The defaults for these options are appropriate for most situations, so change them only if you are
certain that your situation requires non-default behavior.
To configure the Event Actions Settings policy, do one of the following:
• (Device view) Select IPS > Event Actions > Settings from the Policy selector.
• (Policy view, IPS appliances and service modules) Select IPS > Event Actions > Settings, then
select an existing policy or create a new one.
• (Policy view, Cisco IOS IPS devices) Select IPS (Router) > Event Actions > Event Action
Settings, then select an existing policy or create a new one.
The following table describes the options you can configure. Note that the options available for Cisco
IOS IPS devices are more limited than those available for IPS appliances and service modules.
Tip Do not disable the Summarizer or Meta Event Generator except for troubleshooting purposes. If you
disable the Summarizer, every signature is set to Fire All with no summarization. If you disable the Meta
Event Generator, all Meta engine signatures are disabled.
OS Type The operating system running on the identified hosts. Select the most
appropriate option from the list. You can select multiple options (using
Ctrl+click) to indicate that there is more than one possible OS.
Tip Because these mappings take precedence over learned
mappings, you probably are better off not assigning General
OS, Other, or Unknown OS. The sensor might be able to learn
the actual OS through passive OS fingerprinting and provide a
better matching. For more information, see Understanding
Passive OS Fingerprinting, page 39-17.
Table 39-7 OS Map Dialog Box (Continued)
Element Description
Table 39-8 Event Actions Settings Policy
Element Description
Enable Event Action
(All device types.)
When selected, enables override rules as defined on the Event Action
Overrides page. You can add an event action override to add actions to
an event based on specific details about that event. For configuring
override rules, see Configuring Event Action Overrides, page 39-13.
Enable Event Action Filters
(All device types.)
When selected, enables the filter rules as defined on the Event Action
Filters page. You can configure event action filters to remove specific
actions from an event or to discard an entire event and prevent further
processing by the sensor. For configuring event action filters rules, see
Configuring Event Action Filters, page 39-4.