Sensor Actions; Setting Notification For Attacks - McAfee M-1250 - Network Security Platform Configuration Manual

McAfee® Network Security Platform 5.1
Tip:
log viewing. Ethereal is a network protocol analyzer for Unix and Windows servers
that enables you to examine the data captured by your Network Security Sensor.
For information on downloading and use of Ethereal, go to www.wireshark.com
http://www.wireshark.org.

Sensor actions

Network Security Sensor actions are responses your Sensor enacts to prevent or deter
further attacks. The most effective of these is
In-line mode—this is the first true implementation of real-time prevention. In most cases,
attack packets reach the intended target before a preventative action can be enforced.
Drop Further Packets
must be enabled in the
during policy creation/cloning.
The other Sensor actions available are:
•
•
•
•
•

Setting notification for attacks

Attack detection, alerting, and Sensor response is a very effective process for managing
your network's security. Network Security Platform also provides administrator notification
for selected attacks. A notification is a message sent via email, email pager, or script for
any attack you regard as high priority. A message is sent with information pertaining to the
attack name, severity, detected time, and so on. Notification is configured on a per-attack
basis; you can enable this feature within the customization of any Exploit, Denial of
Service (DoS), or Reconnaissance attack. Details for enabling notification for Exploit and
DoS attacks are presented in this chapter.
You also have the option to automatically acknowledge any attack within the Notification
category. The
alert viewing and report generation. For more information on acknowledgement of alerts,
see Acknowledging alerts,
Email, pager, and script lists, as well as message contents, are configured on a per-admin
domain basis (see Setting up alert notifications (on page 143)). For email and pager
notifications, you must set up a mail server for sending the messages (see Specifying a
mail server for notifications,
McAfee recommends using Wireshark( formerly known as Ethereal) for packet
drops the offending transmission during Sensor inspection. This option
Response
IPS Quarantine
: Based on the configuration, quarantine and remediation is performed by
the Sensor. For more information, see IPS Quarantine settings (on page 108).
Block DoS Packets
: blocks further packets for a detected DoS attack. In this case, you
Drop Further Packets
have not configured the
allows you to drop further packets of an ongoing DoS attack.
Enable TCP Reset
: disconnects a TCP connection at the source, destination, or both
ends of the transmission.
Send ICMP Host Not Reachable to Intruder
transmissions.
Alert Filtering
: limits the alerts generated by excluding certain Source and Destination IP
address parameters.
Auto. Acknowledge
System Status Monitoring Guide
Manager Server Configuration Guide
Drop Further Packets
section of any Exploit or Denial of Service (DoS) attack
response; however, the Threat Analyzer
: sends this message to attack source for ICMP
Acknowledged
option marks an alert as
.
3
Overview of IPS settings
, which is only available in
for the purposes of
).