Use the general settings area in Connection Events to
specify basic event parameters, such as names, severity levels, and
block, and logging actions.
About this task
Navigating in IPS Local Management Interface:
Navigating
in SiteProtector™ Management:
select the Connection Events policy
Procedure
- Click the Add icon.
- Set the following general settings:
Option |
Description |
Enabled |
Notifies you about connection events. |
Event |
Specifies a unique name for the event. Note: If you are editing
a predefined event, the name appears here as read-only.
|
Comment |
Describes the event. |
Severity |
Specifies a severity level for the event: high, medium, or
low. |
Event Throttling |
Sets a time window (in seconds) during which multiple events
are reported only once. Tip: Use this feature to prevent
your console from being overrun with duplicate events that could potentially
mask a more dangerous event.
Note: The default value is 0 (zero),
which disables event throttling.
|
Protocol |
Specifies the protocol for the event. Note: If you select ICMP or ICMPv6,
type the appropriate types or codes, or click Well Known to
select often-used types and codes.
|
Display |
Defines how you want to display the event in the management
console:- None: does not display the detected event.
- Without Raw: logs a summary of the event.
- With Raw: logs a summary and the associated
packet capture.
|
Block |
Blocks the attack by dropping packets and sending resets to
TCP connections. |
Log Evidence |
Determines
the type of packets to capture when suspicious traffic triggers events.
The appliance logs files to the /var/iss/ directory. - None: The appliance captures no traffic.
- Offending Packet: When an event occurs,
the appliance captures the suspicious traffic.
- Connection: When an event occurs, the appliance
captures all traffic that matches the event protocol, source and destination
address, source and destination port, or VLan ID.
- Interface: When an event occurs, the appliance
captures all traffic that passes through specified interfaces.
- All Interfaces: When an event occurs, the
appliance captures all traffic that passes through all interfaces.
|
What to do next
On the
Add Connection Events window,
you can specify IP addresses and port settings for IPv4 and IPv6 networks
and you can enable responses for events.