An Active Response policy defines the detection of a security event and the SMS response. Each policy may include segments from multiple managed devices, one of each type of action you created, and the IPS Quarantine action. The system provides a Default Response Policy. This policy enacts when you manually respond to a host and the status is listed in the Response History table. The method of configuring an Active Response policy on an IPS segment is based on a Response action set. You create an action set with the SMS action equal to the Active Response policy and then assign filters with the action set. Then you can distribute to the IPS segments or segment group where you want to enforce SMS Active Response.
Default Response Policy
The Default Response policy is based on a special IPS action set. Every IPS contains this special hidden Response action set and it is managed by the SMS Active Response application. This action set describes how the IPS behaves when the SMS adds an IP to its list of targeted IP addresses.
How To: Edit the Default Response Policy
- Log in to the SMS from a client.
- On the SMS toolbar, navigate to the Responder->Policies tab screen.
- In the Policies screen, select the Default Response entry from the Active Response Policies list and do one of the following:
- Click Edit.
- Right-click and select Edit.
- From the SMS toolbar select Edit->Details.
- The Edit Active Response Policy setup wizard opens.
- Select the Initiation and Timeout tab
- Policy Name - edit the policy name if desired.
- Initiation - specify the mechanism to use to initiate the policy.
- Timeout - If you want to set the timeout option, select the Enable Automatic Timeout check box and enter a time in minutes. Setting this option automatically ends the continued application of Response Actions after the prescribed time limit even if remediation has not occurred.
- Select the Inclusions and Exclusions tab. On the Inclusions and Exclusions screen, specify the hosts/networks to Allow Active Response or Never Respond. Use the arrow buttons located at the end of each field to add an existing Named Resource or to create a new Named Resource.
- Select the Correlation and Thresholding tab. For Correlation and Thresholding, enter settings for the following:
- Automatic Response Configuration:
- Qualified filter hits- Number of hits to enact the policy.
- Threshold period- Period of time in seconds or minutes for the hit count threshold.
- Quiet period- Quiet Period begins when automatic response action is initiated. A new Threshold Period won't begin until the Quiet Period is over.
- Qualified Filter Hit Notifications:
- Select Send Syslog Notification to send a message to the syslog. Enter a server and select a port and facility for the syslog.
- Select Send SNMP Trap Notification to send a message to the SNMP trap. Enter a destination and select a port.
- Automatic Response Configuration:
- Select the Actions tab. The Actions screen lists the actions that are associated with the policy and the following information:
- Priority: The order in which the actions are to be performed
- Action: Name assigned to the action that you created.
- Condition: Trigger for running the action. This option is set when a new action is added to the Response Policy and can be changed by editing a select action through this screen.
- Dependency: What other action must take place for this action to be triggered.
- Click Add to add a new Response action or select an existing action entry and click Edit. The Response Actions screen displays.
- Select an action to add from the drop-down menu. The available actions are those created in the Action screen for Active Response. When adding additional actions, you can create dependences between the actions:
- Select an action to add.
- Select an option: success on or failure on.
- Select the action to connect for dependency.
- On the Actions screen, review the listed actions. If you want to change the priority of a selected action, use the up and down arrows to change the location of the selected action in the list.
- Select the IPS Destinations tab. In the IPS Destinations screen, you can select which devices will receive the Response Policy.
- To distribute to all IPS devices, select the All Devices check box.
- To distribute to selected IPS devices, expand the All Devices entry and select one or more IPS devices.
- Click OK to save your settings.
Reference: SMS User Guide