Changing the behavior of Symantec IPS signatures

Article:HOWTO27086  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27086
Article Type
How To


Environment


Changing the behavior of Symantec IPS signatures

You may want to change the default behavior of the Symantec IPS signatures for the following reasons:

  • To reduce the possibility of a false positive. In some cases, benign network activity may appear similar to an attack signature. If you receive repeated warnings about possible attacks, and you know that these attacks are being triggered by safe behavior, you can exclude the attack signature that matches the benign activity.

  • To reduce resource consumption by reducing the number of attack signatures for which the client checks. However, you must be certain that an attack signature poses no threat before excluding it from blocking.

You can change the action that the client takes when the IPS recognizes an attack signature. You can also change whether the client logs the event in the Security log.

Note:
To change the behavior of a custom IPS signature that you create or import, you edit the signature directly.

To change the behavior of Symantec IPS signatures

  1. In the console, open an Intrusion Prevention Policy.

    See Editing a policy.

  2. On the Intrusion Prevention Policy page, click Exceptions.

  3. On the Exceptions page, click Add.

  4. In the Add Intrusion Prevention Exceptions dialog box, do one of the following actions to filter the signatures:

    • To display the signatures in a particular category, select an option from the Show category drop-down list.

    • To display the signatures that are classified with a particular severity, select an option from the Show severity drop-down list.

  5. Select one or more IPS signatures.

    To make the behavior for all signatures the same, click Select All.

  6. Click Next.

  7. In the Signature Action dialog box, change the action from Block to Allow or from Allow to Block.

  8. Optionally, change the log action in either one of the following ways:

    • Change Log the traffic to Do not log the traffic.

    • Change Do not log the traffic to Log the traffic.

  9. Click OK.

    If you want to remove the exception and revert the signature's behavior back to the original behavior, select the signature and click Delete.

  10. Click OK.

  11. If you want to change the behavior of other signatures, repeat steps 3 to 10.

  12. When you finish configuring this policy, click OK.

To remove the exception

  1. In the console, open an Intrusion Prevention Policy.

    See Editing a policy.

  2. On the Intrusion Prevention Policy page, click Exceptions.

  3. On the Exceptions pane, select the exception you want to remove and click Delete.

  4. When you are asked to confirm the deletion, click Yes.


Legacy ID



349444


Article URL http://www.symantec.com/docs/HOWTO27086


Terms of use for this information are found in Legal Notices