HostedDB - Dedicated UNIX Servers
pilot_14 August 28, 1998 Intrusion Detection Pilot Program Guide 11 q Product can notify an administrator via e-mail of an incident. q  Product can log a summary of an incident to persistent data storage. q  Product can record the entire binary content of a network session and write it to persistent data storage for future analysis or forensics. q  Product can copy the entire binary content of a network session up to the management console in real time so that it may be viewed as it is happening. q  Product can terminate a TCP session by issuing TCP Reset packets to each end of the connection. q Product can prevent TCP, UDP, and IP access to a network by automatically reconfiguring a firewall or router to prevent certain traffic from crossing the firewall boundary for a user- specified period of time. q Product can respond to an incident by executing one or more user-specified programs. Configuration q Remote Product engines can be configured from the management console using a point- and click-interface. q Product provides configuration templates that describe an engine configuration (i.e., active pre-defined signatures, responses). These templates can be customized, applied to many engines at the same time, saved for future use, and exchanged among management domains. q  The priority level for each pre-defined signature can be configured from the management console. q  The interface allows attack signatures to be activated or deactivated via check-box selection. q The response to each pre-defined event can be specified by the administrator from the management console. q Product templates can be customized and saved for future use. q  The pre-defined signatures of Product can be tuned such that false positives are minimized. q  Product can be configured such that attack signature and traffic analysis focus only on specified hosts, specified protocols, or specified services. q  Product can be configured such that the end user can modify the embedded HELP systems and add additional commnets and information about attack definitions. Event Monitoring q Product graphically depicts both suspicious activity and normal network activity. q The graphical interface can be used effectively by an unskilled NOC operator and requires