I want to do the following:
Only if the target of the attack is MailSrv
and the RR > 85
--->block attacker
If target is any other host -->
don't block
===========
My problem is that I cannot specify the dst IP in the event action override.
So my only choice was:
event action override: if RR > 85 block
but this makes block if attack is against ANY host, not MailSrv only.
I will try to make it more clear.
I want everything to behave normally.
Only when attacks are on MailSrv I want to block.
Hi
Are you already using value target rating for your Mail server?
If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.
The other targets will have a RR < 85.
Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING
I hope this help (rate if it does)
Alberto Giorgi from spain