Address parameters in the signature definitions (4.1)

k.lapczuk · ‎01-22-2005

Is there any way to change the action triggered by the signature based upon the network/host source/destination address in all kinds of engines? In Atomic engine it is possible - for example triggering different levels of alarms, based upon the victim network address. What about the all other engines?

marcabal · ‎01-24-2005

Question: Is there any way to change the action triggered by the signature based upon the network/host source/destination address in all kinds of engines?

Response: No. When the signature is defined the selected actions will take place regardless of the addresses (unless the alarm is filtered).

Question: In Atomic engine it is possible - for example triggering different levels of alarms, based upon the victim network address. What about the all other engines?

Answer: No In version 4.x the alarm is either triggered and the actions taken, or the alarm is filtered and no actions are taken.

SIDE NOTE:

Some of this changes in version 5.0.

You still won't be able to assign specific actions for a given address set. But combinations of some of the added features may come close to providing you the granularity you are asking for.

I would suggest posting this question again after 5.0 is released. Then I will be able to go into feature details and give you some hints and tricks to get close to what you are asking for.

k.lapczuk · ‎01-25-2005

Thanks, that exactly (unfortunately) how I thought it works.