Configuring general settings for security events

Use the general settings area of the Security Events page for the Network IPS appliance to enable security events, apply protection domains, and to set how to display information.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > Security Events

Navigating in the SiteProtector™ system: select the Security Events policy

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Enabled Enables the event as part of your security policy.
    Protection Domain Applies a protection domain to one event.
    Notes:
    • You can apply only one event to one domain at a time.
    • If you do not configure (or do not use) protection domains, the protection domain is displayed as "Global" in the list
    Tips:
    • To configure this event for another domain, copy and rename the event, and then assign it to the other domain.
    • If the protection domain you want does not appear in the list, you can configure protection domains in Secure Protection Settings > Advanced IPS > Protection Domains.
    Attack/Audit Specifies whether the event is an attack or an audit:
    • Audit: Events that match network traffic that are seeking information about your network.
    • Attack: Events that match network traffic that are seeking to harm your network.
    Note: This area is unavailable when you are creating a custom event.
    Event Name Specifies a truncated name for the event. You can click the ellipsis button to choose from a list of names.
    Note: If you are editing an existing event, the event name is displayed. Click Signature Information to view a brief description of the event.
    Note: In some policies, you can apply the policy to events detected by X-Force®. In the Event Name list, filter the events by Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID for details. If these events are triggered on the appliance, you can view the events in Monitor Health and Statistics > Security and in Review Analysis and Diagnostics > Logs > Security Alerts.
    Severity Specifies a severity level for the event: high, medium, or low.
    Protocol Specifies a protocol for the event.
    Note: For existing events, this field displays the protocol type, which is not editable.
    Ignore Events Instructs the appliance to ignore events that match the criteria that are set for the event.
    Display Specifies how you want to display the event in the management console:
    • No Display: Does not display the detected event.
    • Without Raw: Logs a summary of the event.
    • With Raw: Logs a summary and the associated packet capture.
    Block Instructs the appliance to block the attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
    • None: The appliance captures no traffic.
    • Offending Packet: The appliance captures the suspicious traffic.
    • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
    • Interface: The appliance captures all traffic that passes through the specified interfaces.
    • All Interfaces: The appliance captures all traffic that passes through all interfaces.
    Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.

What to do next

On the Add Security Events window, configure responses along with other miscellaneous settings like applicable XPUs, event throttling, and default protection.