Table of Contents
Advertisement
Setting Severity
Copyright © 2010, Juniper Networks, Inc.
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect IDP throughput, performance,
and available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.
Setting Logging
In the Configure Notification dialog box, select Logging and then click OK. Each time the
rule is matched, the IDP system creates a log record that appears in the Log Viewer.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, however, you might want
to be notified immediately by e-mail, have IDP run a script in response to the attack, or
set an alarm flag to appear in the log record. Your goal is to fine-tune the attack
notifications in your security policy to your individual security needs.
Setting an Alert
In the Configure Notification dialog box, select Alert and then click OK. If Alert is selected
and the rule is matched, IDP places an alert flag in the alert column of the Log Viewer
for the matching log record.
Logging Packets
You can record the individual packets in the network traffic that matched a rule by
capturing the packet data for the attack. Viewing the packets used in an attack on your
network can help you determine the extent of the attempted attack and its purpose,
whether or not the attack was successful, and any possible damage to your network.
NOTE: To improve IDP performance, log only the packets after the attack.
If multiple rules with packet capture enabled match the same attack, IDP captures the
maximum specified number of packets. For example, you configure Rule 1 to capture 10
packets before and after the attack, and Rule 2 to capture 5 packets before and after
the attack. If both rules match the same attack, IDP attempts to capture 10 packets
before and after the attack.
NOTE: Packet captures are restricted to 256 packets before and after the
attack.
You can override the inherent attack severity on a per-rule basis within the SYN Protector
rulebase. You can set the severity to either Default, Info, Warning, Minor, Major, or Critical.
To change the severity for a rule, right-click the Severity column of the rule and select a
severity.
Chapter 9: Configuring Security Policies
501
Advertisement
Table of Contents
