Configuring general settings for response filters

Use the general settings area of the Response Filters page for the Network IPS appliance to configure attributes such as protection domain, event name, severity, virtual LAN, and event throttling.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Response Tuning > Response Filters

Navigating in the SiteProtector™ system: select the Response Filters policy

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Enabled Enables response filters.
    Protection Domain Specifies the protection domain for the response filter.
    Event Name Displays a truncated event name.
    • Click the ellipsis to show events.
    • You can add multiple events at one time. Use the filter settings to sort through the list.
    Note: In some policies, you can apply the policy to events detected by X-Force®. In the Event Name list, filter the events by Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID for details. If these events are triggered on the appliance, you can view the events in Monitor Health and Statistics > Security and in Review Analysis and Diagnostics > Logs > Security Alerts.
    Comment Specifies a unique description for the event filter or set of filters.
    Severity Specifies a severity level to filter by: high, medium, or low.
    Interface Specifies the appliance ports or interfaces where you want to apply the response filter.
    Note: Not all interfaces are available on every appliance. The appliance ignores port configurations that do not apply to the appliance model.
    VLAN Specifies the range of virtual LAN tags where you want to apply the response filter.
    Event Throttling Sets a time window (in seconds) during which multiple events are reported once.
    Tip: Use this feature to prevent your console from being overrun with duplicate events that potentially mask a more dangerous event.
    Note: The default value is zero, which disables event throttling.
    ICMP Version Specifies ICMP or ICMPv6 types or codes for either side of the packet.
    Note: Click the applicable Well Known option to select often-used types and codes.
    Ignore Events Ignores events that match the criteria you set for this event.
    Display Specifies the display of the event in the management console:
    • No Display: Does not display the detected event.
    • Without Raw: Logs a summary of the event
    • With Raw: Logs a summary and the associated packet capture.
    Block Blocks an attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
    • None: The appliance captures no traffic.
    • Offending Packet: The appliance captures the suspicious traffic.
    • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
    • Interface: The appliance captures all traffic that passes through the specified interfaces.
    • All Interfaces: The appliance captures all traffic that passes through all interfaces.
    Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.

What to do next

On the Add Response Filters window, specify the IP address and the port settings for IPv4 and IPv6 networks and enable responses.