cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
4
Helpful
7
Replies

What is the default action of CSA?

nitass
Level 1
Level 1

Hi all,

I am a newcomer for CSA. I have a few questions as following. Could you please clarify it for me?

1. If all rules do not match the event, what action will it take place? Allow or Deny?

2. If the first answer is allow, how can it protect the system for the zero day attack?

Thanks so much,

Nitass

1 Accepted Solution

Accepted Solutions

Nitass,

You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.

View solution in original post

7 Replies 7

purohit_810
Level 5
Level 5

In case you have selected BOX "TAKE PRECEDENCE OVER OTHER DENY RULES "

Than it will be Deny. Other wise it will act accordingly rules.

See figure 2-12 on URL:http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap2.html

Regards,

Dharmesh Purohit

Thanks for your reply. Could you please explain me more?

My question is when event (from agent) does not match all rules that I configured for that group, what happen would it take? Is it allow or deny?

Thanks again,

Nitass

Can you provide an example of one of these events?

If there is an event reported by an agent, it is usually associated with a rule that is set to log.

Tom

Thanks Tom. I just imaged it.

I just want to know in case of the rules could not cover all the events, what action would it take? Is it allow or deny those events?

Thanks so much,

Nitass

That's Ok. I just found that the implicit action is allow.

Thanks again,

Nitass

Nitass,

You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.

Many thanks. It is exactly what I am looking for.

Thanks again,

Nitass

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: