01-22-2005 01:35 PM - edited 03-10-2019 01:14 AM
Is there any way to change the action triggered by the signature based upon the network/host source/destination address in all kinds of engines? In Atomic engine it is possible - for example triggering different levels of alarms, based upon the victim network address. What about the all other engines?
01-24-2005 07:32 AM
Question: Is there any way to change the action triggered by the signature based upon the network/host source/destination address in all kinds of engines?
Response: No. When the signature is defined the selected actions will take place regardless of the addresses (unless the alarm is filtered).
Question: In Atomic engine it is possible - for example triggering different levels of alarms, based upon the victim network address. What about the all other engines?
Answer: No In version 4.x the alarm is either triggered and the actions taken, or the alarm is filtered and no actions are taken.
SIDE NOTE:
Some of this changes in version 5.0.
You still won't be able to assign specific actions for a given address set. But combinations of some of the added features may come close to providing you the granularity you are asking for.
I would suggest posting this question again after 5.0 is released. Then I will be able to go into feature details and give you some hints and tricks to get close to what you are asking for.
01-25-2005 07:14 AM
Thanks, that exactly (unfortunately) how I thought it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide