Configuring general settings for response filters

Use the general settings area on the Response Filters tab to configure attributes such as protection domain, event name, severity, virtual LAN, and event throttling.

About this task

Navigating in IPS Local Management Interface: Secure Protection Settings > Response Tuning > Response Filters

Navigating in SiteProtector™ Management: select the Response Filters policy

Procedure
  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Enabled Enables response filters.
    Protection Domain Specifies the protection domain for the response filter.
    Event Name Displays a truncated event name.
    • Click the ellipsis to show events.
    • You can add multiple events at one time. Use the filter settings to sort through the list.
    Note: In some policies, you can apply the policy to events detected by X-Force. In the Event Name list, filter the events using, Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID for details. If these events are triggered on the appliance, see them in Monitor Health and Statistics > Security and in Review Analysis and Diagnostics > Logs > Security Alerts.
    Comment Specifies a unique description for the event filter or set of filters.
    Severity Specifies a severity level to filter by: high, medium, or low.
    Interface Specifies the appliance ports or interfaces where you want to apply the response filter.
    Note: Not all interfaces are available on every appliance. The appliance ignores port configurations that do not apply to the appliance model.
    VLAN Specifies the range of virtual LAN tags where you want to apply the response filter.
    Event Throttling Sets a time window (in seconds) during which multiple events are reported once.
    Tip: Use this feature to prevent your console from being overrun with duplicate events that potentially mask a more dangerous event.
    Note: The default value is 0 (zero), which disables event throttling.
    ICMP Version Specifies ICMP or ICMPv6 types or codes for either side of the packet.
    Note: Click the applicableWell Known option to select often-used types and codes.
    Ignore Events Ignores events that match the criteria you set for this event.
    Display Specifies the display of the event in the management console:
    • No Display Does not display the detected event.
    • Without Raw Logs a summary of the event
    • With Raw Logs a summary and the associated packet capture.
    Block Blocks an attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packets to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory.
    • None: The appliance captures no traffic.
    • Offending Packet: When an event occurs, the appliance captures the suspicious traffic.
    • Connection: When an event occurs, the appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLan ID.
    • Interface: When an event occurs, the appliance captures all traffic that passes through specified interfaces.
    • All Interfaces: When an event occurs, the appliance captures all traffic that passes through all interfaces.

What to do next

On the Add Response Filters window, you can specify IP address and port settings for IPv4 and IPv6 networks and you can enable responses.