05-11-2006 03:42 AM - edited 03-10-2019 03:00 AM
I want to do the following:
Only if the target of the attack is MailSrv
and the RR > 85
--->block attacker
If target is any other host -->
don't block
===========
My problem is that I cannot specify the dst IP in the event action override.
So my only choice was:
event action override: if RR > 85 block
but this makes block if attack is against ANY host, not MailSrv only.
05-11-2006 05:01 AM
I will try to make it more clear.
I want everything to behave normally.
Only when attacks are on MailSrv I want to block.
05-11-2006 11:43 AM
Hi
Are you already using value target rating for your Mail server?
If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.
The other targets will have a RR < 85.
Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING
I hope this help (rate if it does)
Alberto Giorgi from spain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: