Symantec 10521146 Administration Guide - Page 151
Con Response Action, Traffic Record
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 151 highlights
Responding 151 Setting response actions reached before the maximum time, then traffic record stops recording, but waits until the maximum time has expired before starting a new record action. The number of responses per incident is also determined by the response configuration. The minimum delay between responses is 1 minute. Note: This response action records only fully assembled packets from actual flows, not malformed packets or packet fragments. You can view detected packet contents in the Advanced tab of Event Details. See "Viewing event details" on page 197. Caution: Traffic record files are stored in the /usr/SNS/record directory, and can quickly fill the disk space, especially on a gigabit link. Make sure that this directory contains sufficient disk space. To enable traffic records 1 In the Network Security console, click Configuration > Response Rules. 2 In Response Rules, click the Response Action column of a rule. 3 In Configure Response Action, click Traffic Record. 4 Provide the following information: ■ Maximum packets to record: Enter the maximum number of packets per incident of this response. ■ Maximum # of record actions: Enter the maximum number of records per incident of this response. ■ Maximum time to record (mins): Enter the time in minutes that you want Symantec Network Security to record per incident. 5 Click traffic record match parameters to select them: ■ Source IP: Click this parameter if you want to record only traffic with the same source address as the triggering event. ■ Source Port: Click this parameter if you want to record only traffic with the same source port as the triggering event. ■ Destination IP: Click this parameter if you want to record only traffic with the same destination address as the triggering event. ■ Destination Port: Click this parameter if you want to record only traffic with the same destination port as the triggering event. ■ Transport: Click this parameter if you want to record only traffic with the same transport protocol (such as TCP, UDP or ICMP) as the triggering event.