Symantec 10268947 User Guide - Page 77
About event types, About severity levels, Intrinsic severity of the type of event, Level of traffic
UPC - 037648243766
View all Symantec 10268947 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 77 highlights
Response Rules 77 About automated responses segments, and network border interfaces defined in the network topology database. About event types The event type parameter specifies the base event or events for which the response rule is defined. Event types are grouped into several larger protocol and service attack categories. When Symantec Network Security detects a suspicious event, it analyzes the event to match it to an event type. About severity levels The severity parameter describes the relationship between the action to take in response to an incident and the severity of that incident. Before the analysis process assigns a severity level to an incident, it analyzes the various events that make up the incident according to the following factors: ■ Intrinsic severity of the type of event: An event might consist of an FTP packet transmitted on port 80. Because port 80 is used for HTTP traffic, this event might represent an attack on a Web server. By itself, this example might represent a medium level of intrinsic severity. ■ Level of traffic, if it is a counter event: If Symantec Network Security determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received. ■ Severity of other events in the same incident: Symantec Network Security correlates severity levels from all events in the same incident. By using these variables to perform statistical analysis, Symantec Network Security assigns different severity levels as they apply to an incident. As the system gains information about the network, it integrates characteristics that influence the levels to reflect the current state of the network security. Because the traffic on every network is different, the severity levels specified in the response rule parameters are relative values and contain no inherent absolute definition. The creation of response rules in general and the selection of severity levels for the specific response rules requires fine-tuning to existing security response rules, as well as to the network traffic and ambient conditions. If the severity assigned during analysis equals the severity level defined in the response rule, as well as all other parameters defined in the response rule, then Symantec Network Security responds to the incident by performing the action associated with the response rule. SuperUsers and Administrators can also specify that the action execute only if the incident priority level falls above or below that of a particular severity level. Possible severity parameter values include informational, low, medium, high, and critical.