Hi is there an option when this signature fires to block the attacker or this attack and not just log the attack? I tried to set the actions but the log says no action taken.
Yes, when you set the actions, you can select deny atacker inline. Make sure thou, that there are no Event action filters and that the IPS is inline between the hosts.
Hi Thx for the answer. I did add the action but no luck or does it nog log this action? The traffic hits the client inside the network so the ips does not block.
Event ID
1397033001306299442
Severity
high
Host ID
IPS-DEB1-1
Application Name
sensorApp
Event Time
01/06/2015 10:18:30
Sensor Local Time
01/06/2015 09:18:30
Signature ID
6009
Signature Sub-ID
0
Signature Name
SYN Flood DOS
Signature Version
S593
Signature Details
SYN Flood DOS
Interface Group
vs1
VLAN ID
0
Interface
te7_0
Attacker IP
xx.xx.xxx.84
Protocol
tcp
Attacker Port
1321
Attacker Locality
OUT
Target IP
yy.yy.yy.102
Target Port
80
Target Locality
OUT
Target OS
unknown unknown (relevant)
Actions
Risk Rating
TVR=medium ARR=relevant
Risk Rating Value
95
Threat Rating
95
Reputation
Context Data
Packet Data
Event Summary
0
Initial Alert
Summary Type
Final Alert
Event Status
New
Event Notes
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
