Idp Actions; Smtp Log Receiver For Idp Events; Configuring An Smtp Log Receiver - D-Link NetDefend DFL-210 User Manual

6.3.8. SMTP Log Receiver for IDP
Events

6.3.7. IDP Actions

Action Options
After pattern matching recognises an intrusion in traffic subject to an IDP Rule, the Action associ-
ated with that Rule is taken. The administrator can associate one of three Action options with an
IDP Rule:
• Ignore - Do nothing if an intrusion is detected and allow the connection to stay open
• Audit - Allow the connection to stay open but log the event
• Protect - This option drops the connection and logs the event (with the additional option to
blacklist the source of the connection or switching on ZoneDefense as described below).
IDP Blacklisting
The Protect option includes the option that the particular host or network that triggers the IDP Rule
can be added to a Blacklist of offending traffic sources. This means that all subsequent traffic com-
ing from a blacklisted source with be automatically dropped by NetDefendOS. For more details of
how blacklisting functions see Section 6.7, "Blacklisting Hosts and Networks".
IDP ZoneDefense
The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule
can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense
functions see Chapter 12, ZoneDefense.

6.3.8. SMTP Log Receiver for IDP Events

In order to receive notifications via e-mail of IDP events, a SMTP Log receiver can be configured.
This e-mail will contain a summary of IDP events that have occurred in a user-configurable period
of time.
When an IDP event occurrs, the NetDefendOS will wait for Hold Time seconds before sending the
notification e-mail. However, the e-mail will only be sent if the number of events occurred in this
period of time is equal to, or bigger than the Log Threshold. When this e-mail has been sent, Net-
DefendOS will wait for Minimum Repeat Time seconds before sending a new e-mail.
Example 6.13. Configuring an SMTP Log Receiver
In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is
triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold
level (at least 2 events have occurred). This results in an e-mail being sent containing a summary of the IDP
events. Several more IDP events may occur after this, but to prevent flooding the mail server, NetDefendOS will
wait 600 seconds (10 minutes) before sending a new e-mail. An SMTP server is assumed to have been con-
figured in the address book with the name smtp-server.
CLI
Adding an SMTP log receiver:
gw-world:/> add LogReceiver LogReceiverSMTP smt4IDP IPAddress=smtp-server
IDP Rules:
gw-world:/> cc IDPRule examplerule
Receiver1=youremail@yourcompany.com
131
Chapter 6. Security Mechanisms