This document provides the steps required in order to tune the
Intrusion Prevention System (IPS) for False Positive Prevention using IPS
Device Manager (IDM) or IPS Manager Express (IME). False positive tuning on IPS
is achieved by a feature called Event Action Filter (EAF).
Readers of this document should have knowledge of the Cisco IPS.
The information in this document is not based on specific hardware and
For more information on document conventions, refer to
Technical Tips Conventions.
EAFs are configured primarily for false positive tuning. EAF provides
the ability to have a particular signature not take desired
actions for a subset of traffic.
EAFs are useful in situations where it is required to satisfy multiple
conditions, such as:
EAFs are useful in dealing with the benign triggering of a
Example: False Positive Event: Signature 1300 triggers
for traffic coming from and to known trusted hosts.
Note: This is just an example for demonstration purposes only. If you are
unsure whether a particular event due to signature trigger is benign or not,
contact Cisco Technical Support for further analysis.
Note: Refer to
Intrusion Prevention System Signatures for additional information
regarding IPS signatures.
Complete these steps:
Check the default actions for the signature (1300, in this example)
for which EAF needs to be configured.
The default actions of signature 1300 include Produce
Alert and Deny Connection Inline.
Identify the hosts for which this signature should not fire. For
example, you do not want the signature to fire for traffic
coming from a trusted subnet, such as 10.1.1.1-10.1.1.254.
Create an EAF for the criteria described in Step 2:
From IDM/IME, go to Configuration >
Policies > IPS Policies. Click the
Event Action Filters tab. Under this tab, click
This window is displayed:
Configure the various fields such as Name,
Signature ID, Attacker IP,
Click the icon to the right of the Actions to
Subtract field in order to open the Edit Actions dialogue box.
In this window, you can specify the Signature actions you do
not want the IPS to execute.
Note: In order to correctly select signature actions you want to
subtract, you need to understand the default signatures actions as described in
In this example, we chose Produce Alert and
Deny Connection Inline.
IPS will not take these actions if the 1300
signature triggers for traffic coming from 10.1.1.1-10.1.1.254.
For all other traffic, the default signature action of
Produce Alert and Deny Connection Inline will
After you choose Produce Alert and Deny Packet Inline, you will see
these actions populate at the bottom of the EAF
Click OK, and then Apply in order
to save the changes.
For configuration of Event Action Filter using CLI, refer to the IPS
Command Line Interface section on the
Guides page. From the appropriate Configuration Guide, click
Configuring Event Action Rules, and search for "Configuring
Event Action Filters".