Use the general settings area on the Response
Filters tab to configure attributes such as protection
domain, event name, severity, virtual LAN, and event throttling.
About this task
Navigating in the IPS Local Management Interface:
Navigating
in SiteProtector™ Management:
select the Response Filters policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Enables response filters. |
Protection Domain |
Specifies the protection domain for the response filter. |
Event Name |
Displays a truncated event name.- Click the ellipsis to show events.
- You can add multiple events at one time. Use the filter settings
to sort through the list.
Note: In some
policies, you can apply the policy to events detected by X-Force®. In
the Event Name list, filter the events by Issue
Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID
for details. If these events are triggered on the appliance, you can
view the events in and in .
|
Comment |
Specifies a unique description for the event filter or set
of filters. |
Severity |
Specifies a severity level to filter by: high, medium, or
low. |
Interface |
Specifies the appliance ports or interfaces where you want
to apply the response filter. Note: Not all interfaces are available
on every appliance. The appliance ignores port configurations that
do not apply to the appliance model.
|
VLAN |
Specifies the range of virtual LAN tags where you want to
apply the response filter. |
Event Throttling |
Sets a time window (in seconds) during which multiple events
are reported once. Tip: Use this feature to prevent your
console from being overrun with duplicate events that potentially
mask a more dangerous event.
Note: The default value is 0 (zero),
which disables event throttling.
|
ICMP Version |
Specifies ICMP or ICMPv6 types or codes for either side of
the packet. Note: Click the applicableWell Known option
to select often-used types and codes.
|
Ignore Events |
Ignores events that match the criteria you set for this event. |
Display |
Specifies the display of the event in the management console:- No Display: Does not display the detected event.
- Without Raw: Logs a summary of the event
- With Raw: Logs a summary and the associated packet capture.
|
Block |
Blocks an attack by dropping packets and sending resets to
TCP connections. |
Log Evidence |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLan ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
What to do next
On the
Add Response Filters window,
you can specify IP address and port settings for IPv4 and IPv6 networks
and you can enable responses.