cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

342
Views
0
Helpful
2
Replies
mabusedira
Beginner

block attacker only if target is specific host only

I want to do the following:

Only if the target of the attack is MailSrv

and the RR > 85

--->block attacker

If target is any other host -->

don't block

===========

My problem is that I cannot specify the dst IP in the event action override.

So my only choice was:

event action override: if RR > 85 block

but this makes block if attack is against ANY host, not MailSrv only.

2 REPLIES 2
mabusedira
Beginner

I will try to make it more clear.

I want everything to behave normally.

Only when attacks are on MailSrv I want to block.

Hi

Are you already using value target rating for your Mail server?

If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.

The other targets will have a RR < 85.

Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING

I hope this help (rate if it does)

Alberto Giorgi from spain

Content for Community-Ad