Use
the general settings area of the Connection
Events page for the Network IPS appliance to specify basic
event parameters, such as names, severity levels, and block and logging
actions.
About this task
Navigating
in the Network IPS Local Management Interface:
Navigating
in the SiteProtector™ system:
select the Connection Events policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Notifies
you about connection events. |
Event |
Specifies a unique name for the event. Note: If you are editing
a predefined event, the name is displayed here as read-only.
|
Comment |
Describes the event. |
Severity |
Specifies a severity
level for the event: high, medium, or
low. |
Event Throttling |
Sets a time window (in seconds) during which multiple events
are reported only once. Tip: Use this feature to prevent
your console from being overrun with duplicate events that might potentially
mask a more dangerous event.
Note: The default value is zero,
which disables event throttling.
|
Protocol |
Specifies the protocol for the
event. Note: If you select ICMP or ICMPv6,
type the appropriate types or codes, or click Well Known to
select often-used types and codes.
|
Display |
Specifies how you want to display
the event in the management
console:- None: Does not display the
detected event.
- Without Raw: Logs a
summary of the event.
- With Raw: Logs
a summary and the associated
packet capture.
|
Block |
Instructs the appliance to block the attack by dropping packets
and sending resets to TCP connections. |
Log
Evidence |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLAN ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
What to do next
On the Add
Connection Events window,
specify the IP addresses and the port settings for IPv4 and IPv6 networks
and to enable responses for events.