Configuring general settings for user-defined events

Use the general settings area of the User Defined Events page for the Network IPS appliance to configure unique characteristics for your user-defined events.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > User Defined Events

Navigating in the SiteProtector™ system: select the User Defined Events policy

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Enabled Enables user-defined events.
    Name Specifies a unique descriptive name.
    Protection Domain Applies a protection domain to one event.
    Notes:
    • You can apply only one event to one domain at a time.
    • If you do not configure (or do not use) protection domains, the protection domain is displayed as "Global" in the list.
    Tips:
    • To configure this event for another domain, copy and rename the event, and then assign it to the other domain.
    • If the protection domain that you want is not displayed in the list, you can configure protection domains in Secure Protection Settings > Advanced IPS > Protection Domains.
    Comment Specifies a unique description.
    Severity Specifies a severity level for the event: high, medium, or low.
    Context Specifies the type and part of the network packet that the appliance scans.
    Note: For more information, see User-defined event contexts.
    Search String Specifies the text string in the packet (context) that determines whether an event matches this signature.
    Note: You can use wildcards and other expressions in strings. You must follow standard POSIX regular expression syntax. For example, a period is a wildcard character that matches any character, and any periods in a DNS name search must be escaped. For more information, see User-defined events and regular expressions.
    Example:

    Incorrect format: pam.userdefined.URL_Data.1000035=www.ibm.com

    Correct format: pam.userdefined.URL_Data.1000035=www\.ibm\.com

    Event Throttling Sets a time window (in seconds) during which multiple events are reported only once.
    Tip: Use this feature to prevent your console from being overrun with duplicate events that potentially mask a more dangerous event.
    Note: The default value is zero, which disables event throttling.
    Display Specifies how you want to display the event in the management console:
    • No Display: Does not display the detected event.
    • WithoutRaw: Logs a summary of the event.
    • WithRaw: Logs a summary and the associated packet capture.
    Block Blocks the attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
    • None: The appliance captures no traffic.
    • Offending Packet: The appliance captures the suspicious traffic.
    • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
    • Interface: The appliance captures all traffic that passes through the specified interfaces.
    • All Interfaces: The appliance captures all traffic that passes through all interfaces.
    Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.

What to do next

On the Add User Defined Events window, configure responses that instruct the appliance how to notify you about user-defined events.