Enterasys Intrusion Prevention System Manual page 240

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
SNIPERQUEUE
A-46 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/ActiveResponse/SniperQueue
Description
The active response capability of the Network
Sensor has been expanded to include reactions
to accumulated events. The intention of this
feature is to prevent 'brute-force' attacks by
inhibiting the attacker's ability to connect to the
target computer. For instance, if the number of
TELNET:BAD-LOGIN events between two hosts
is elevated passed a given threshold, the
Network Sensor will not allow further contact for
a specified time period.
Valid attributes are:
Direction Direction with respect to the
protected network
IP Address Protected IP/CIDR address
Port Protected port
# of IPs The number of source IP
addresses to track
Event Threshold The number of events
required
to enable active response.
Interval Time (in seconds) over which
the given threshold must be
exceeded to trigger active
Reset Duration Time (in seconds) that active
response will last after being
Technical Notes
• This feature is only available on Ethernet sensors.
• SniperQueue can also be applied when running in
IPS mode.
• This feature can take up a considerable amount of
memory, please choose the attributes carefully.
• This keyword is only available for TCP traffic.
response.
triggered.