Technical Documentation

Downloads
Understanding IDP Rulebase Notification Options

Related Topics
Understanding the IDP Rulebase
IDP Logs Overview
IDP Logs and Reports in NSM Task Summary

Understanding IDP Rulebase Notification Options

You use notification features to help you manage your network, analyze your network security, validate your security policy, and capture forensic evidence of attacks. You can set notification options per rule.

The first time you design a security policy, you might be tempted to log all data for all attacks and let the policy run indefinitely. We recommend you take a more refined approach. Some attack objects are informational only, and others can generate false positives and redundant logs. If you become overloaded with data, you can miss something important. Remember that security policies that generate too many log records are hazardous to the security of your network, as you might discover an attack too late or miss a security breach entirely as a result of having to sift through hundreds of log records. Excessive logging can also affect IDP throughput, performance, and available disk space. A good security policy generates enough logs to fully document only the important security events on your network.

By default, logging is enabled for IDP rulebase rules. Table 1 describes the notification options you can configure. You also have the option to disable logging.

Table 1: IDP Rulebase Notification Options

Option	Description
Event logs and alerts	You can enable the following delivery and handling options for logs: Send to NSM log viewer. Send to NSM log viewer and flag as an alert. Send to an e-mail address list. Send to syslog. Send to SNMP trap. Save in XML format. Save in CVS format. Process with a script.
Packet captures	Viewing the packets used in an attack on your network can help you determine the extent of the attempted attack and its purpose, whether or not the attack was successful, and any possible damage to your network. If multiple rules with packet capture enabled match the same attack, IDP captures the maximum specified number of packets. For example, you configure rule 1 to capture 10 packets before and after the attack, and you configure rule 2 to capture 5 packets before and after the attack. If both rules match the same attack, IDP attempts to capture 10 packets before and after the attack. You can capture up to 256 packets before the event and 256 packets after the event. Note: If necessary, you can improve performance by logging only the packets received after the attack.

Option

Description

Event logs and alerts

You can enable the following delivery and handling options for logs:

Send to NSM log viewer.
Send to NSM log viewer and flag as an alert.
Send to an e-mail address list.
Send to syslog.
Send to SNMP trap.
Save in XML format.
Save in CVS format.
Process with a script.

Packet captures

Viewing the packets used in an attack on your network can help you determine the extent of the attempted attack and its purpose, whether or not the attack was successful, and any possible damage to your network.

If multiple rules with packet capture enabled match the same attack, IDP captures the maximum specified number of packets. For example, you configure rule 1 to capture 10 packets before and after the attack, and you configure rule 2 to capture 5 packets before and after the attack. If both rules match the same attack, IDP attempts to capture 10 packets before and after the attack.

You can capture up to 256 packets before the event and 256 packets after the event.

Note: If necessary, you can improve performance by logging only the packets received after the attack.

For complete procedures on setting IDP rulebase notification options, see the IDP Administration Guide.

Technical Documentation

Understanding IDP Rulebase Notification Options

Published: 2010-01-12