Endpoint Protection

 View Only

  • 1.  SEP 11 Attack Signature question

    Posted Feb 16, 2012 11:14 AM

    Hi all!

    Can someone tell me what "Audit" refers to in SEP attack signatures? Specifically i am looking at ICMP redirect attacks and i see that there is a signature for this (see link), however its labelled as Audit.

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20017

    Does this mean that it is logged only and not blocked? or that its blocked under a heading of Audit?

    Symantec updated their categories for attack sig's (see link) but it doesn't seem that Audit is covered.

    http://www.symantec.com/business/support/index?page=content&id=TECH152794

    any help much appreciated.



  • 2.  RE: SEP 11 Attack Signature question

    Broadcom Employee
    Posted Feb 16, 2012 12:38 PM

    i believe this will help,

    These signatures are responsible for detecting such traffic as peer-to-peer file sharing, instant messaging, and voice over IP (VOIP).

    check this link

    http://www.symantec.com/business/support/index?page=content&id=TECH161411



  • 3.  RE: SEP 11 Attack Signature question

    Posted Feb 20, 2012 04:27 AM

    Thanks Pete, but does traffic detected as Audit get blocked?



  • 4.  RE: SEP 11 Attack Signature question

    Broadcom Employee
    Posted Feb 20, 2012 04:42 AM

    by default is is "Allow" but you put under exception and set action as Block.



  • 5.  RE: SEP 11 Attack Signature question

    Posted Feb 20, 2012 04:56 AM

    I have taken a look in the IPS excusions and cannot see it listed. Is this signature a feature of SEP 11?



  • 6.  RE: SEP 11 Attack Signature question

    Posted Feb 20, 2012 05:15 AM

    I have scanned down the list of Audit signatures and can't see it listed in SEP 11. I guess its a v12 feature.

    Thanks.



  • 7.  RE: SEP 11 Attack Signature question
    Best Answer

    Broadcom Employee
    Posted Feb 20, 2012 05:21 AM

    I can see it in SEP 12.1 RU 1.