Configuring Sensor Event Policies (NSM Procedure)
You can specify one or more rules that specify the actions the
Infranet Controller takes when it receives attack alert messages from
an IDP device.
To create an IDP rule:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the Infranet Controller for which you want to
specify sensor event policies.
- Click the Configuration tab.
In the configuration tree, select System > Configuration
> Sensors > Sensor Event Policies.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: Sensor Event Policies Configuration Details
Option
|
Function
|
Your Action
|
Name
|
Specifies a unique name for the event.
|
Enter a name for the event.
|
Event
|
Specifies an existing event.
|
Select an existing event.
|
Event Count
|
Determines the number of times an event must occur before
action is taken.
|
Enter a number between 1 and 256.
|
Action to be taken
|
Specifies the action to be taken when an event has occurred.
|
Select one of the following actions:
- Ignore (just log the event)—Specifies
that the Infranet Controller should log the event, but take no further
action against the user profile to which this rule applies. This option
is best used to deal with very minor “informational” attack
alert messages that come from the IDP device.
- Terminate user session—Specifies
that the Infranet Controller should immediately terminate the user
session and require the user to sign in to the Infranet Controller
again.
- Disable user account—Specifies
that the Infranet Controller should disable the user profile associated
with this attack alert message, thus rendering the client unable to
sign in to the Infranet Controller until the administrator reenables
the user account. (This option is only applicable for users who have
a local Infranet Controller user account.)
- Replace user’s role with this one—Specifies that the role applied to this user’s profile
should change to the role you select from the associated drop-down
list. This new role remains assigned to the user profile until the
session terminates. This feature allows you to assign a user to a
specific controlled role of your choice, based on specific IDP events.
For example, if the user performs attacks, you might assign the user
to a restricted role that limits the user’s access and activities.
|
Replace user role with this role
|
Specifies that the role applied to the user’s profile
should change to the role selected from this list.
|
Select a role from this list.
|
Replace user role
|
Specifies whether the role assignment is permanent or
only for a session.
|
Select a role assignment option:
- Permanent—User remains in the
quarantined state across subsequent logins until the administrator
releases the user from the quarantined state.
- For this session only—Default.
User can log in to another session.
|
Applies to role
|
Specifies the roles to which the policy is applicable.
|
Select one of the following options:
- All—To apply this policy to
all users.
- Selected—To apply this policy
only to users who are mapped to roles in the Members list. Make sure
to add roles to this list from the Non-members list.
- Except for those selected—To
apply this policy to all users except for those who are mapped to
the roles in the Members list. Make sure to add roles to this list
from the Non-members list.
|
Role Selection
|
Specifies the selected roles.
|
Select roles from the Non-members list and click Add to move them to the Members list.
|
Published: 2009-08-20
