Use the general
settings area of the User Defined
Events page for the Network IPS appliance to configure
unique characteristics for your user-defined events.
About this task
Navigating
in the Network IPS Local Management Interface:
Navigating
in the SiteProtector™ system:
select the User Defined Events policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Enables user-defined events. |
Name |
Specifies a unique
descriptive name. |
Protection Domain |
Applies a protection domain to one event.Notes: - You can apply only one event to one domain at
a time.
- If you do not configure (or do not use) protection
domains, the
protection domain is displayed as "Global" in the list.
Tips: - To configure this event for
another domain, copy and rename the
event, and then assign it to the other domain.
- If the protection
domain that you want is not displayed in the
list, you can configure protection domains in .
|
Comment |
Specifies a unique
description. |
Severity |
Specifies a severity level for the event: high, medium, or
low. |
Context |
Specifies
the type and part of the network packet that the
appliance scans.
|
Search String |
Specifies
the text string in the packet (context) that determines
whether an event matches this signature.Note: You can use wildcards
and other expressions in strings. You must follow standard POSIX regular
expression syntax. For example, a period is a wildcard character that
matches any character, and any periods in a DNS name search must be
escaped. For more information, see User-defined events and regular expressions.
Example: Incorrect format: pam.userdefined.URL_Data.1000035=www.ibm.com
Correct
format: pam.userdefined.URL_Data.1000035=www\.ibm\.com
|
Event Throttling |
Sets a
time window (in seconds) during which multiple events
are reported only once. Tip: Use
this feature to prevent your console from being overrun with duplicate
events that potentially mask a more dangerous event.
Note: The
default value is zero, which disables event throttling.
|
Display |
Specifies how you
want to display the event in the management
console:- No Display: Does not display the detected event.
- WithoutRaw: Logs a summary of the event.
- WithRaw:
Logs a summary and the associated packet capture.
|
Block |
Blocks the attack
by dropping packets and sending resets to
TCP connections. |
Log Evidence |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLAN ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
What to do next
On the Add
User Defined Events window,
configure responses that instruct the appliance how to notify you
about user-defined events.