By default, the sensor has deny packet inline for RR range of 90-100. I
configured RR range of 70-100 for deny packet inline
If you look below, the risk rating range for deny packet is inline is 70 -
100 now. It overwritten 90-100 which means only one RR range can be
configured for an action.
sensor(config-eve)# sh settings
variables (min: 0, max: 256, current: 0)
------------------------------
-----------------
-----------------------------------------------
overrides (min: 0, max: 15, current: 2)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline
-----------------------------------------------
override-item-status: Enabled default: Enabled
risk-rating-range: 70-100 default: 90-100
With regards
Kings
On Tue, Apr 26, 2011 at 9:12 PM, Piotr Matusiak <[email protected]> wrote:
> Yes, I'm using 6.1
>
>
> 2011/4/26 Kingsley Charles <[email protected]>
>
>> Piotr
>>
>> It's not possible in 6.1. But, I guess it should work 7.0. Are you using
>> 6.1?
>>
>>
>> With regards
>> Kings
>>
>>
>> On Tue, Apr 26, 2011 at 8:11 PM, Piotr Matusiak <[email protected]> wrote:
>>
>>> Why not? I think it is possible to configure the same action on different
>>> RRs.
>>> What's the problem here?
>>>
>>>
>>>
>>> 2011/4/26 Kingsley Charles <[email protected]>
>>>
>>>> Hi all
>>>>
>>>> When configuring Event Action Overrides, it seems that the "action" can
>>>> be associated to only one range of risk rating. In the following example, I
>>>> have configured RR range 70-100 for packet inline.
>>>>
>>>> Does that mean, I can't configure "deny packet inline" for other RR
>>>> ranges. This doesn't make sense to me.
>>>>
>>>>
>>>> sensor(config-eve)# sh settings
>>>> variables (min: 0, max: 256, current: 0)
>>>> -----------------------------------------------
>>>> -----------------------------------------------
>>>> overrides (min: 0, max: 15, current: 2)
>>>> -----------------------------------------------
>>>> <protected entry>
>>>> action-to-add: deny-packet-inline
>>>> -----------------------------------------------
>>>> override-item-status: Enabled default: Enabled
>>>> risk-rating-range: 70-100 default: 90-100
>>>>
>>>>
>>>> With regards
>>>> Kings
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
