Symantec 10521146 Administration Guide - Page 154
Managing flow alert rules
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 154 highlights
154 Responding Managing flow alert rules ■ Delay between flow export actions (mins): Enter the time in minutes that you want Symantec Network Security to wait between actions per incident. The default delay is 10, the minimum is 1, and the maximum is 256. 5 In Export flows matching which event attribute:, provide the following: ■ Source addresses: Use the IP address from the triggering event. ■ Destination addresses: Use the IP address from the triggering event. ■ Source port: Make port significant when matching related FDS flow entries to the triggering event source IPs. ■ Destination port: Make port significant when matching related FDS flow entries to the triggering event destination IPs. ■ Transport Protocol: Export only matching FDS flow entries of the same protocol as the triggering event (IP, TCP, UDP). 6 In Configure Response Action, click OK to save and exit. 7 In Response Rules, click OK to save and exit. For related information, see the following topics: ■ See "Playing recorded traffic" on page 240. ■ See "Exporting data" on page 254. ■ See "About incident and event data" on page 189. ■ See "Defining new protection policies" on page 120. Managing flow alert rules In addition to response rules, Symantec Network Security can respond to network traffic according to flow alert rules. Flow alert rules respond to traffic flows that violate defined policies on monitored networks. Flow alert rules can be configured to notify you when a sensor or router detects flows that match specific criteria. Symantec Network Security collects data about network flows from various devices. It optimizes the data to enable advanced response actions such as TrackBack, and notifies you about illegal flows. Symantec Network Security uses FlowChaser to store the data, in coordination with TrackBack, which traces a DoS attack or network flow back to its source, or to the edges of the administrative domain. This section describes the following: ■ Viewing flow alert rules