About Event Action Variables; Configuring Event Action Variables - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 6 Configuring Event Action Rules

About Event Action Variables

You can create event action variables and then use those variables in event action filters. When you want
to use the same value within multiple filters, use a variable. When you change the value of the variable,
any filter that uses that variable is updated with the new value.
Note You must preface the variable with a dollar ($) sign to indicate that you are using a variable rather than
a string.
Some variables cannot be deleted because they are necessary to the signature system. If a variable is
protected, you cannot edit it. You receive an error message if you try to delete protected variables. You
can edit only one variable at a time.
When configuring IP addresses, specify the full IP address or ranges or set of ranges. For example:
•
•
•
For example, if you have an IP address space that applies to your engineering group and there are no
Timesaver
Windows systems in that group, and you are not worried about any Windows-based attacks to that group,
you could set up a variable to be the engineering group's IP address space. You could then use this
variable to configure a filter that would ignore all Windows-based attacks for this group.

Configuring Event Action Variables

Use the variables variable_name address ip_address command in service event action rules submode
to set up event action variables. The IP address can be one address, a range, or ranges separated by a
comma.
To configure event action variables, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 1
Enter event action rules submode:
Step 2
sensor# configure terminal
sensor(config)# service event-action-rules rules0
Create a variable:
Step 3
sensor(config-rul)# variables variable1 address 10.89.130.108
The valid values for address are A.B.C.D-A.B.C.D [,A.B.C.D-A.B.C.D].
Check the variable you just made:
Step 4
sensor(config-rul)# show settings
variables (min: 0, max: 256, current: 2)
-----------------------------------------------
78-16527-01
10.90.1.1
10.89.10.10-10.89.10.23
10.1.1.1-10.2.255.255, 10.89.10.10-10.89.10.23
variableName: variable1
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Event Action Variables
6-5