Preview Tool

Cisco Bug: CSCuo74457 - IPS EAF should never remove deny actions from normalizer signatures

Last Modified

Jun 16, 2015

Products (17)

  • Cisco IPS 4200 Series Sensors
  • Cisco ASA 5555-X IPS Security Services Processor
  • Cisco IPS 4255 Sensor
  • Cisco IPS 4260 Sensor
  • Cisco IPS 4270-20 Sensor
  • Cisco IPS 4345 Sensor
  • Cisco IPS 4520 Sensor
  • Cisco ASA 5525-X IPS Security Services Processor
  • Cisco ASA 5545-X IPS Security Services Processor
  • Cisco IPS 4510 Sensor
View all products in Bug Search Tool Login Required

Known Affected Releases

7.1(8)E4 7.3(2)E4

Description (partial)

TCP traffic streams can be affected if IPS Event Action Filters (EAF) are configured to remove deny actions from IPS normalizer signatures. All traffic over affected stream stops.

This issue was first found in 7.1(8) and was also seen in 7.2(3).

Event Action Filter can look like this:

actions-to-remove request-block-connection|request-block-host|deny-attacker-inline|deny-attacker-service-pair-inline|deny-attacker-victim-pair-inline|deny-packet-inline|deny-connection-inline|reset-tcp-connection|produce-alert|produce-verbose-alert|request-rate-limit|request-snmp-trap
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.