Idp Actions; Smtp Log Receiver For Idp Events; Configuring An Smtp Log Receiver - D-Link NetDefend DFL-210 User Manual

6.5.7. IDP Actions

group name.
6.5.7. IDP Actions
Action Options
After pattern matching recognises an intrusion in traffic subject to an IDP Rule, the Action
associated with that Rule is taken. The administrator can associate one of three Action options with
an IDP Rule:
• Ignore - Do nothing if an intrusion is detected and allow the connection to stay open
• Audit - Allow the connection to stay open but log the event
• Protect - This option drops the connection and logs the event (with the additional option to
blacklist the source of the connection or switching on ZoneDefense as described below).
IDP Blacklisting
The Protect option includes the option that the particular host or network that triggers the IDP Rule
can be added to a Blacklist of offending traffic sources. This means that all subsequent traffic
coming from a blacklisted source with be automatically dropped by NetDefendOS. For more details
of how blacklisting functions see Section 6.7, "Blacklisting Hosts and Networks".
IDP ZoneDefense
The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule
can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense
functions see Chapter 12, ZoneDefense.

6.5.8. SMTP Log Receiver for IDP Events

In order to receive notifications via email of IDP events, a SMTP Log receiver can be configured.
This email will contain a summary of IDP events that have occurred in a user-configurable period of
time.
When an IDP event occurrs, the NetDefendOS will wait for Hold Time seconds before sending the
notification email. However, the email will only be sent if the number of events occurred in this
period of time is equal to, or bigger than the Log Threshold. When this email has been sent,
NetDefendOS will wait for Minimum Repeat Time seconds before sending a new email.
Example 6.19. Configuring an SMTP Log Receiver
In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is
Caution against using too many IDP signatures
Do not use the entire signature database and avoid using signatures and signature
groups unecessarily. Instead, use only those signatures or groups applicable to the
type of traffic you are trying to protect. For instance, using IDS_WEB*, IPS_WEB*,
IDS_HTTP* and IPS_HTTP* IDP groups would be appropriate for protecting an
HTTP server.
IDP traffic scanning creates an additional load on the hardware that in most cases
shouldn't noticebly degrade performance. Using too many signatures during scanning
can make the load on the firewall hardware unecessarily high, adversely effecting
throughput.
194
Chapter 6. Security Mechanisms