154 Responding
Managing flow alert rules
Managing flow alert rules
Delay between flow export actions (mins): Enter the time in minutes
■
that you want Symantec Network Security to wait between actions per
incident. The default delay is 10, the minimum is 1, and the maximum
is 256.
5
In Export flows matching which event attribute:, provide the following:
Source addresses: Use the IP address from the triggering event.
■
Destination addresses: Use the IP address from the triggering event.
■
Source port: Make port significant when matching related FDS flow
■
entries to the triggering event source IPs.
Destination port: Make port significant when matching related FDS
■
flow entries to the triggering event destination IPs.
Transport Protocol: Export only matching FDS flow entries of the same
■
protocol as the triggering event (IP, TCP, UDP).
6
In Configure Response Action, click OK to save and exit.
7
In Response Rules, click OK to save and exit.
For related information, see the following topics:
See
"Playing recorded traffic"
■
See
"Exporting data"
■
See
"About incident and event data"
■
See
"Defining new protection policies"
■
In addition to response rules, Symantec Network Security can respond to
network traffic according to flow alert rules. Flow alert rules respond to traffic
flows that violate defined policies on monitored networks. Flow alert rules can
be configured to notify you when a sensor or router detects flows that match
specific criteria.
Symantec Network Security collects data about network flows from various
devices. It optimizes the data to enable advanced response actions such as
TrackBack, and notifies you about illegal flows. Symantec Network Security uses
FlowChaser to store the data, in coordination with TrackBack, which traces a
DoS attack or network flow back to its source, or to the edges of the
administrative domain.
This section describes the following:
Viewing flow alert rules
■
on page 240.
on page 254.
on page 189.
on page 120.