Configuring general settings for connection events

Use the general settings area of the Connection Events page for the Network IPS appliance to specify basic event parameters, such as names, severity levels, and block and logging actions.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > Connection Events

Navigating in the SiteProtector™ system: select the Connection Events policy

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Enabled Notifies you about connection events.
    Event Specifies a unique name for the event.
    Note: If you are editing a predefined event, the name is displayed here as read-only.
    Comment Describes the event.
    Severity Specifies a severity level for the event: high, medium, or low.
    Event Throttling Sets a time window (in seconds) during which multiple events are reported only once.
    Tip: Use this feature to prevent your console from being overrun with duplicate events that might potentially mask a more dangerous event.
    Note: The default value is zero, which disables event throttling.
    Protocol Specifies the protocol for the event.
    Note: If you select ICMP or ICMPv6, type the appropriate types or codes, or click Well Known to select often-used types and codes.
    Display Specifies how you want to display the event in the management console:
    • None: Does not display the detected event.
    • Without Raw: Logs a summary of the event.
    • With Raw: Logs a summary and the associated packet capture.
    Block Instructs the appliance to block the attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
    • None: The appliance captures no traffic.
    • Offending Packet: The appliance captures the suspicious traffic.
    • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
    • Interface: The appliance captures all traffic that passes through the specified interfaces.
    • All Interfaces: The appliance captures all traffic that passes through all interfaces.
    Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.

What to do next

On the Add Connection Events window, specify the IP addresses and the port settings for IPv4 and IPv6 networks and to enable responses for events.