Use the general settings
area of the Response
Filters page for the Network IPS appliance to configure
attributes such as protection domain, event name, severity, virtual
LAN, and event throttling.
About this task
Navigating
in the Network IPS Local Management Interface:
Navigating
in the SiteProtector™ system:
select the Response Filters policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Enables
response filters. |
Protection Domain |
Specifies the protection domain for the response filter. |
Event Name |
Displays a truncated
event name.- Click the ellipsis to show events.
- You
can add multiple events at one time. Use the filter settings
to sort through the list.
Note: In some
policies, you can apply the policy to events detected by X-Force®. In the Event Name list,
filter the events by Issue Name, X-Force Assigned
Risk, or IssueID numbers. Click the IssueID for details. If these
events are triggered on the appliance, you can view the events in and in .
|
Comment |
Specifies a unique
description for the event filter or set
of filters. |
Severity |
Specifies
a severity level to filter by: high, medium, or
low. |
Interface |
Specifies
the appliance ports or interfaces where you want
to apply the response filter. Note: Not all interfaces are available
on every appliance. The appliance ignores port configurations that
do not apply to the appliance model.
|
VLAN |
Specifies the range of virtual LAN
tags where you want to
apply the response filter. |
Event
Throttling |
Sets a time window (in seconds) during
which multiple events
are reported once. Tip: Use this feature to prevent your
console from being overrun with duplicate events that potentially
mask a more dangerous event.
Note: The default value is zero,
which disables event throttling.
|
ICMP Version |
Specifies ICMP or ICMPv6
types or codes for either side of
the packet. Note: Click the applicable Well Known option
to select often-used types and codes.
|
Ignore Events |
Ignores events that match
the criteria you set for this event. |
Display |
Specifies the display of the event in the management console:- No Display: Does not display the detected event.
- Without
Raw: Logs a summary of the event
- With Raw: Logs
a summary and the associated packet capture.
|
Block |
Blocks an attack by dropping
packets and sending resets to
TCP connections. |
Log Evidence |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLAN ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
What to do next
On the Add
Response Filters window,
specify the IP address and the port settings for IPv4 and IPv6 networks
and enable responses.