08-05-2007 07:10 AM - edited 03-10-2019 03:44 AM
Hi all,
I am a newcomer for CSA. I have a few questions as following. Could you please clarify it for me?
1. If all rules do not match the event, what action will it take place? Allow or Deny?
2. If the first answer is allow, how can it protect the system for the zero day attack?
Thanks so much,
Nitass
Solved! Go to Solution.
08-30-2007 10:05 AM
Nitass,
You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.
08-05-2007 04:04 PM
In case you have selected BOX "TAKE PRECEDENCE OVER OTHER DENY RULES "
Than it will be Deny. Other wise it will act accordingly rules.
See figure 2-12 on URL:http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap2.html
Regards,
Dharmesh Purohit
08-05-2007 07:37 PM
Thanks for your reply. Could you please explain me more?
My question is when event (from agent) does not match all rules that I configured for that group, what happen would it take? Is it allow or deny?
Thanks again,
Nitass
08-05-2007 09:31 PM
Can you provide an example of one of these events?
If there is an event reported by an agent, it is usually associated with a rule that is set to log.
Tom
08-06-2007 03:38 AM
Thanks Tom. I just imaged it.
I just want to know in case of the rules could not cover all the events, what action would it take? Is it allow or deny those events?
Thanks so much,
Nitass
08-07-2007 06:46 AM
That's Ok. I just found that the implicit action is allow.
Thanks again,
Nitass
08-30-2007 10:05 AM
Nitass,
You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.
08-30-2007 08:08 PM
Many thanks. It is exactly what I am looking for.
Thanks again,
Nitass
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: