I'm on NSM 126.96.36.199.
I'd like to stop the "Send Alert to Manager" response on events that also have a "Enable SmartBlocking" response.
I can, of course, go into each and every definition that has "Enable SmartBlocking" configured and Disable the "Send Alert to Manager" response, but that would take forever.
Is there some way to set this globally?
(In other words, I do not want to receive email alerts about events that are SmartBlocked.)
First of all, we filter the rule that "Send Alert to Manager / Enable SmartBlocking" is selected using the filter in the "Response" column under "Sensor Actions" column.
Next, select all the filtered rules using Shift key and mouse click.
Then, after confirming that "Multiple Attacks Selected" is displayed on the right side, if you change Alert to Disabled, it seems possible to change it altogether.
Please try it if you like.
Note: Disabling "Send Alert to Manager" stops log output to the Attack Log.
Thank you for the reply, fujimori.
Your tip about filtering by checking the box under the Response column was what I was missing! I didn't know that feature existed.
Following the rest of your instructions has led me to consider a slightly different approach:
Instead of Disabling the Alert (which, as you pointed out, would stop the log output), wouldn't Disabling the Manager Actions / Email setting achieve what I'm after?
If you want to set mail notification for only specific alerts, check only "The attack definition has this notification option explicitly enabled" in Manager> Setup> Notification> IPS Events "Send Notification If" and save.
Reference: Network Security Platform 9.1 Manager Administration Guide
P.334 Configure email or pager alert notifications
With this method, it is possible to perform e-mail notification only for alerts with mail notification enabled in policy.
Thanks for the further information and the link.
However, what I'm trying to do is the opposite of what you state in your last post. I want to receive email notifications for everything EXCEPT for SmartBlocked definitions.
To test my last theory, I chose a SmartBlocked definition (DNS: Microsoft ATMA X25 Buffer Overflow), went to its Settings, and Disabled the E-Mail setting in the Messenger Actions section. I've since received two further emails for this definition, so it obviously did not work. Unless I can figure something else out, I'll have to weigh your original suggestion of Disabling the Alert in the Sensor Actions section against not having these Alerts sent to the Attack Log.
Remember that you will need to disable all smartblocking signatures' email notification after every sigset update (and make sure the rest non SB sigs are notifying). With every new sigset rules get updated, so new ones may be added, existing ones may be moved into SB base on fidelity.
That's a very good point, David.
That is one reason I was hoping to find a "universal" setting that could be set. Having to micro-manage each definition is out of the question. (I currently see nearly 8000 definitions that are being SmartBlocked.)
Despite having set the E-Mail setting in my test definition's Manager Action to Disabled, I'm still getting emails about it, so it obviously is not working as I'd hoped.
If I get the time (haha) I may contact Support to see if they know of a way to do what I'm after.
No worries Travler...
I was just thinking if you could use the API to modify the email notification settings of a signature - based on the signature's Smartblocking Settings (Yes/No)?
I am not sure it would work to be honest.... I don't believe (from memory) the API goes deep enough to the signature level...
If anyone has the time to test/check, and let us know... that would be great!
P.S: I can think of some manual tricks to read and update these settings via scripting directly on the database... But... it would not be supported! Definitely!