Use the general settings area of the User Defined Events page to configure unique characteristics for your user-defined events.
Navigating in the IPS Local Management Interface: Secure Protection Settings > Advanced IPS > User Defined Events
Navigating in SiteProtector™ Management: select theUser Defined Events policy
Option | Description |
---|---|
Enabled | Enables user-defined events. |
Name | Specifies a unique descriptive name. |
Protection Domain | Applies a protection domain to one event. Notes:
Tips:
|
Comment | Specifies a unique description. |
Severity | Specifies a severity level for the event: low, medium, or high. |
Context | Specifies the type and part of the network packet that the
appliance scans. Note: For more information, see User-defined event contexts.
|
Search String | Specifies the text string in the packet (context) that determines
whether an event matches this signature. Note: You can use wildcards
and other expressions in strings. You must follow standard POSIX regular
expression syntax. For example, a period is a wildcard character that
matches any character, and any periods in a DNS name search must be
escaped. For more information, see User-defined events and regular expressions.
Example:
|
Event Throttling | Sets a time window (in seconds) during which multiple events
are reported only once. Tip: Use
this feature to prevent your console from being overrun with duplicate
events that potentially mask a more dangerous event.
Note: The
default value is 0 (zero), which disables event throttling.
|
Display | Specifies how you want to display the event in the management
console:
|
Block | Blocks the attack by dropping packets and sending resets to TCP connections. |
Log Evidence | Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from Review Analysis and
Diagnostics > Downloads > Logs
and Packet Captures > Log Evidence.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
On the Add User Defined Events window, you can configure how the appliance notifies you about user-defined events by setting responses.