Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
2
Replies

block attacker only if target is specific host only

mabusedira
Level 1
Level 1

‎05-11-2006 03:42 AM - edited ‎03-10-2019 03:00 AM

I want to do the following:

Only if the target of the attack is MailSrv

and the RR > 85

--->block attacker

If target is any other host -->

don't block

===========

My problem is that I cannot specify the dst IP in the event action override.

So my only choice was:

event action override: if RR > 85 block

but this makes block if attack is against ANY host, not MailSrv only.

Labels:
0 Helpful
2 Replies 2

mabusedira
Level 1
Level 1

‎05-11-2006 05:01 AM

I will try to make it more clear.

I want everything to behave normally.

Only when attacks are on MailSrv I want to block.

0 Helpful

a.giorgi
Level 1
Level 1
In response to mabusedira

‎05-11-2006 11:43 AM

Hi

Are you already using value target rating for your Mail server?

If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.

The other targets will have a RR < 85.

Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING

I hope this help (rate if it does)

Alberto Giorgi from spain

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card