Packet-based events
Packet-based events analysis network traffic and detects intrusion attempts based on the traffic characteristics and content. Packet-based events detect intrusions by comparing network traffic against rules describing events that are deemed troublesome. These rules might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts), or signatures describing known attacks or access to known vulnerabilities.
Creating packet-based events
To create a new packet-based event, do following steps:
- Click Add icon in Event Manager window.
- Select Packet Event item in popup menu. The Create Packet Event dialog appears.
Figure 12-4. Create Packet Event dialog
- Fill in the parameters for the event and the action to be triggered when rules are met.
- Name: Type a name for the packet-based event. The name must be unique.
- Severity: Specify the severity of this event.
- Belongs to: Specify the layer the event belongs to.
- Action: Specify what action should be triggered when this event is detected.
- Condition: Condition consists of a number of rules which use the logical AND, OR and NOT to link with others.
Note: The rules used by packet-based events is exactly same as the rules defined in filter. It is discussed in more detail in Filter Rules.
- Click OK to create and enable the packet-based event.