Use the general settings area of the User Defined
Events page to configure unique characteristics for your
user defined events.
About this task
Navigating in IPS Local Management Interface:
Navigating
in SiteProtector™ Management:
select theUser Defined Events policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Enables user defined events. |
Name |
Specifies a unique descriptive name. |
Protection Domain |
Applies a protection domain to one even.
Tips: - To configure this event for another domain, copy and rename the
event, and then assign it to the other domain.
- If the protection domain you want does not appear in the list,
you can configure protection domains in .
|
Comment |
Specifies a unique description. |
Severity |
Specifies a severity level for the event: low, medium, or
high. |
Context |
Specifies the type and part of the network packet that the
appliance scans.
|
Search String |
Specifies the text string in the packet (context) that determines
whether an event matches this signature.Note: You can use wildcards
and other expressions in strings. You must follow standard POSIX regular
expression syntax. For example, a period is a wildcard character that
matches any character, and any periods in a DNS name search must be
escaped. See User defined events and regular expressions for
more information.
Example: - Incorrect: pam.userdefined.URL_Data.1000035=www.ibm.com
- Correct: pam.userdefined.URL_Data.1000035=www\.ibm\.com
|
Event Throttling |
Sets a time window (in seconds) during which multiple events
are reported only once. Tip: Use
this feature to prevent your console from being overrun with duplicate
events that potentially mask a more dangerous event.
Note: The
default value is 0 (zero), which disables event throttling.
|
Display |
Specifies how you want to display the event in the management
console:- No Display Does not display the detected event.
- WithoutRaw Logs a summary of the event.
- WithRaw Logs a summary and the associated packet capture.
|
Block |
Blocks the attack by dropping packets and sending resets to
TCP connections. |
Log Evidence |
Determines
the type of packets to capture when suspicious traffic triggers events.
The appliance logs files to the /var/iss/ directory. - None: The appliance captures no traffic.
- Offending Packet: When an event occurs,
the appliance captures the suspicious traffic.
- Connection: When an event occurs, the appliance
captures all traffic that matches the event protocol, source and destination
address, source and destination port, or VLan ID.
- Interface: When an event occurs, the appliance
captures all traffic that passes through specified interfaces.
- All Interfaces: When an event occurs, the
appliance captures all traffic that passes through all interfaces.
|
What to do next
On the
Add User Defined Events window,
you can configure how the appliance notifies you about user defined
events by setting responses.