05-11-2006 03:42 AM - edited 03-10-2019 03:00 AM
I want to do the following:
Only if the target of the attack is MailSrv
and the RR > 85
--->block attacker
If target is any other host -->
don't block
===========
My problem is that I cannot specify the dst IP in the event action override.
So my only choice was:
event action override: if RR > 85 block
but this makes block if attack is against ANY host, not MailSrv only.
05-11-2006 05:01 AM
I will try to make it more clear.
I want everything to behave normally.
Only when attacks are on MailSrv I want to block.
05-11-2006 11:43 AM
Hi
Are you already using value target rating for your Mail server?
If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.
The other targets will have a RR < 85.
Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING
I hope this help (rate if it does)
Alberto Giorgi from spain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide