Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Configuring Network Honeypot Rulebase Rules (NSM Procedure)
The network honeypot rulebase is a method to detect investigation activities.
To configure a network honeypot rulebase rule:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select and double-click the security policy to which you want to add the network honeypot rulebase rule.
- Click New in the upper right corner of the policy viewer and select Add Network Honeypot Rulebase.
- Click the New button within the rules viewer to add a rule.
- Modify the property of the rule by right-clicking the table cell for the property and making your modifications.
- Configure or modify the rule using the settings described in Table 33.
Table 33: Network Honeypot Rulebase Rule Properties
| Option | Function | Your Action |
|---|---|---|
No | Specifies if you want to add, delete, copy, or reorder rules. | Right-click the table cell for the rule number and make your required modifications. |
Source Address | Specifies the address object that is the source of the traffic. | Select any source address or group. |
Impersonate > Destination | Specifies the address object that is the destination of the traffic, typically a server or other device on your network. | Select the destination object. Note: You can also negate one or more address objects to specify all destinations except the excluded object. |
Impersonate > Service | Specifies the services running on your network. | Select the services you want to monitor. |
Operation | Specifies whether or not IDP fakes open ports. | Select any of the following options:
|
IP Action | Allows you to log, drop, or close the current connection for each attack that matches a rule. | Select Configure to do any one of the following actions:
|
Notification | Allows you to create log records with attack information that you can view real-time in the Log Viewer. Note: For more critical attacks, you can also set an alert flag to appear in the log record. | Select Configure to create log records. Note: The Configure menu option does not appear if the Mode column is set to None.
|
VLAN Tag | Specifies that you can configure a rule to only apply to messages in certain VLANs. | Set a value by selecting any of the following options:
|
Severity | Specifies if you can override the inherent attack severity on a per-rule basis within the IDP rulebase. | Set the severity to Default, Info, Warning, Minor, Major, or Critical. Note: This column only appears when you view the Security Policy in Expanded Mode. |
Install On | Specifies the security devices or templates that receive and use this rule. | Select the target security device. Note: You can also select multiple security devices on which to install the rule. |
Comments | Specifies any miscellaneous comment about the rule's purpose. | Enter any additional comments about the rule. |
 | Note: The IDP drops MPLS traffic that matches a Network Honeypot rule. When the IDP engine processes MPLS traffic, it stores the MPLS label information. It stores separate labels for client-to-server and server-to-client communication. In the case of traffic that matches Network Honeypot rules, there is no genuine server-to-client communication, so the IDP engine does not have server-to-client MPLS label information. Therefore, the impersonation operation is not supported. |
For more information, see the IDP Concepts & Examples guide.
