HP ProCurve Threat Management Solution Implementation Guide 2009-05
2-26
HP ProCurve Network Immunity Manager Standalone Solution
Step 2: Detect Threats
Figure 2-24. Policy Manager > Alerts > <New NBAD> Configuration Window
11. Configure the properties of the alert:
a. Select a threat type from the Threat Type drop-down list.
(This list reflects all the ProCurve NBAD Services event types listed in the navigation
tree of the Policy Manager window.)
b. In the Alert Configuration section, specify the number of events and/or magnitude of
violations within a specified time period that will trigger an alert. Use these guidelines
to enter your settings:
– For the preconfigured NBAD alerts, ProCurve recommends that you start with the
default values: 1 event or magnitude of 1 in ten minutes. Then, collect events for
at least 24 hours.
– If too many alerts are being generated, you may want to decrease the sensitivity
of the NBAD analyzer or increase the number of events or magnitude to reduce
the number of triggered alerts.
– If you want NIM to generate more alerts so that you can respond more quickly to
potential threats, increase the sensitivity of the NBAD analyzer or reduce the time
period of the alert.
– To trigger the policy based on the cumulative magnitude of events received, select
OR from the drop-down list and type a number representing the magnitude. For
example, a policy can be triggered when any number of TCP sweep events are
received with a cumulative magnitude of 50 or more.
Magnitude units vary, depending on the nature of the event. (The units of an event’s
magnitude are indicated in the event’s description.) For example, the magnitude
of an IP sweep event indicates how many IP destinations an attacker contacted,
while the magnitude of a traffic anomaly event indicates how many frames
containing the referenced anomaly were observed from a single source IP address.
c. Optionally, change the severity reported for an alert.