After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action
associated with that Rule is taken. The administrator can associate one of three Action options with
an IDP Rule:
•
Ignore - Do nothing if an intrusion is detected and allow the connection to stay open.
•
Audit - Allow the connection to stay open but log the event.
•
Protect - This option drops the connection and logs the event (with the additional option to
blacklist the source of the connection or switching on ZoneDefense as described below).
IDP Blacklisting
The Protect option includes the option that the particular host or network that triggers the IDP Rule
can be added to a Blacklist of offending traffic sources. This means that all subsequent traffic
coming from a blacklisted source with be automatically dropped by NetDefendOS. For more details
of how blacklisting functions see Section 6.7, “Blacklisting Hosts and Networks”.
IDP ZoneDefense
The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule
can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense
functions see Chapter 12, ZoneDefense.
6.5.8. SMTP Log Receiver for IDP Events
In order to receive notifications via email of IDP events, a SMTP Log receiver can be configured.
This email will contain a summary of IDP events that have occurred in a user-configurable period of
time.
When an IDP event occurrs, the NetDefendOS will wait for Hold Time seconds before sending the
notification email. However, the email will only be sent if the number of events occurred in this
period of time is equal to, or bigger than the Log Threshold. When this email has been sent,
NetDefendOS will wait for Minimum Repeat Time seconds before sending a new email.
The IP Address of SMTP Log Receivers is Required
When specifying an SMTP log receiver, the IP address of the receiver must be specified. A domain
name such as dns:smtp.domain.com cannot be used.
Example 6.20. Configuring an SMTP Log Receiver
In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, the Rule is
triggered. At least one new event occurs within the Hold Time of 120 seconds, thus reaching the log threshold
level (at least 2 events have occurred). This results in an email being sent containing a summary of the IDP
events. Several more IDP events may occur after this, but to prevent flooding the mail server, NetDefendOS will
wait 600 seconds (equivalent to 10 minutes) before sending a new email. An SMTP server is assumed to have
been configured in the address book with the name smtp-server.
Command-Line Interface
Adding an SMTP log receiver:
gw-world:/> add LogReceiver LogReceiverSMTP smt4IDP IPAddress=smtp-server
IDP Rules:
6.5.8. SMTP Log Receiver for IDP
Events
Chapter 6. Security Mechanisms
357
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...