Specifications
Select the Event Categories that will result in applying the action for this rule. To be
recognized by ASM, the text string in the event message sent by the IDS must match exactly
the event category names in the Rule.
Match Any − This is an unconditional match for the category.•
Match Selected − The event category is compared against one or more categories
selected from the list.
•
Exclude Selected − The event category matches if it is not one of the categories
selected from the list.
•
Dragon has four default notification rules: netsight−atlas−asm−attacks,
netsight−atlas−asm−compromise, netsight−atlas−asm−informational, and
netsight−atlas−asm−misuse. Each of Dragon's notification rules has a corresponding event
category in ASM: ASM_ATTACKS, ASM_COMPROMISE, ASM_INFORMATIONAL,
and ASM_MISUSE.
For ASM's response to a serious threat to be timely and effective, it is important that ASM
only be notified of serious threats. The following table lists the Dragon events for which
notification to ASM is recommended:
BACKDOOR:PHATBOT COMP:MS−DIR COMP:ROOT−ICMP
COMP:ROOT−TCP COMP:ROOT−UDP COMP:SDBOT−LOGIN
COMP:SDBOT−NETINFO COMP:SPYBOT−DOWNLOAD COMP:SPYBOT−INFO
COMP:SPYBOT−KEYLOG COMP:WIN−2000 COMP:WIN−XP
GENERIC:UPX−EXE MS−BACKDOOR MS−BACKDOOR2
MS−BACKDOOR3 MS−SQL:HAXOR−TABLE MS−SQL:PWDUMP
MS−SQL:WORM−SAPPHIRE MS:BACKDOOR−BADCMD MS:BACKDOOR−DIR
SMB:SAMBAL−SUCCESS SSH:HIGHPORT SSH:X2−CHRIS
SSH:X2−CHRIS−REPLY
b.
Select the Sender Identifiers that will result in applying the action for this rule. This is a
unique identifier associated with the intrusion detection system that detected the security
event.
Match Any − This is an unconditional match for the Sender ID.•
Match Selected − The Sender ID is compared against one or more Sender Identifiers
selected from the list.
•
Exclude Selected − The Sender ID matches if it is not one of the Sender Identifiers
selected from the list.
•
c.
Select the Policies that will result in applying the action for this rule. This attribute examines
policies currently applied on the port.
Match Any − This is an unconditional match for a currently applied policy.•
Match Selected − The currently applied policy is compared against one or more
policies selected from the list.
•
Exclude Selected − The currently applied policy is not one of the policies selected
from the list.
•
d.
Select the VLANs that will result in applying the action for this rule. This attribute examines
VLANs currently applied on the port.
e.
Automated Security Manager Help
How to Create and Edit Automated Security Manager Rules 60