Symantec 10268947 User Guide - Page 83

Response Rules 83 About flow alert rules are specified by parameters that the SuperUser provides when creating the rule. The SuperUser or Administrator can use Export Flow to specify the event characteristics of the triggering event. Flows that match the specified characteristics are exported and saved. The minimum delay between responses is 1 minute. About flow alert rules In addition to response rules, Symantec Network Security can respond to network traffic according to flow alert rules. Flow alert rules respond to traffic flows that violate defined policies on monitored networks. Flow alert rules can be configured to notify you when a sensor or router detects flows that match specific criteria. Symantec Network Security collects data about network flows from various devices. It optimizes the data to enable advanced response actions such as TrackBack, and notifies you about illegal flows. Symantec Network Security uses FlowChaser to store the data, in coordination with TrackBack, which traces a DoS attack or network flow back to its source, or to the edges of the administrative domain. Note: StandardUsers can view flow alert rules; and RestrictedUsers have no access at all. Viewing flow alert rules Symantec Network Security provides a way to view flow alert rules from the Network Security console. To view flow alert rules ◆ In the Network Security console, click Configuration > Flow Alert Rules. In Flow Alert Rule, you can view the rule details. Playing recorded traffic Like the FlowChaser, Query Current Flows, and Query Exported Flows, the Traffic Playback Tool provides another way to search recorded data outside of the Network Security reporting system. When you set a response rule to record events of a particular description, you can then use the Traffic Playback Tool to replay and scrutinize the records of those events. See "Managing response rules" on page 132.