cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Travler
Level 10
Report Inappropriate Content
Message 1 of 13

email alerts for SmartBlocking events

I'm on NSM 8.3.7.28.

I'd like to stop the "Send Alert to Manager" response on events that also have a "Enable SmartBlocking" response.

I can, of course, go into each and every definition that has "Enable SmartBlocking" configured and Disable the "Send Alert to Manager" response, but that would take forever. 

Is there some way to set this globally?

(In other words, I do not want to receive email alerts about events that are SmartBlocked.)

Thanks!

12 Replies

Re: email alerts for SmartBlocking events

First of all, we filter the rule that "Send Alert to Manager / Enable SmartBlocking" is selected using the filter in the "Response" column under "Sensor Actions" column.

Next, select all the filtered rules using Shift key and mouse click.

Then, after confirming that "Multiple Attacks Selected" is displayed on the right side, if you change Alert to Disabled, it seems possible to change it altogether.

Please try it if you like.

Note: Disabling "Send Alert to Manager" stops log output to the Attack Log.

Travler
Level 10
Report Inappropriate Content
Message 3 of 13

Re: email alerts for SmartBlocking events

Thank you for the reply, fujimori.

Your tip about filtering by checking the box under the Response column was what I was missing!  I didn't know that feature existed.

Following the rest of your instructions has led me to consider a slightly different approach:

Instead of Disabling the Alert (which, as you pointed out, would stop the log output), wouldn't Disabling the Manager Actions / Email setting achieve what I'm after?

 

Re: email alerts for SmartBlocking events

If you want to set mail notification for only specific alerts, check only "The attack definition has this notification option explicitly enabled" in Manager> Setup> Notification> IPS Events "Send Notification If" and save.

 Reference: Network Security Platform 9.1 Manager Administration Guide
 https://kc.mcafee.com/corporate/index?page=content&id=PD26776&actp=null&viewlocale=en_US&locale=en_U...
  P.334 Configure email or pager alert notifications

With this method, it is possible to perform e-mail notification only for alerts with mail notification enabled in policy.

Smiley Indifferent

Travler
Level 10
Report Inappropriate Content
Message 5 of 13

Re: email alerts for SmartBlocking events

Thanks for the further information and the link.

However, what I'm trying to do is the opposite of what you state in your last post.  I want to receive email notifications for everything EXCEPT for SmartBlocked definitions.

To test my last theory, I chose a SmartBlocked definition (DNS: Microsoft ATMA X25 Buffer Overflow), went to its Settings, and Disabled the E-Mail setting in the Messenger Actions section.  I've since received two further emails for this definition, so it obviously did not work.  Unless I can figure something else out, I'll have to weigh your original suggestion of Disabling the Alert in the Sensor Actions section against not having these Alerts sent to the Attack Log.

Travler
Level 10
Report Inappropriate Content
Message 6 of 13

Re: email alerts for SmartBlocking events

I forgot to mention that what you last suggested is exactly how we have our email notification set up today: Send Notification If: has both boxes checked.
mjesmer
Level 11
Report Inappropriate Content
Message 7 of 13

Re: email alerts for SmartBlocking events

Have you disabled the Manager Action for email in the attack for the right policy?

d_aloy
Level 12
Report Inappropriate Content
Message 8 of 13

Re: email alerts for SmartBlocking events

Hi guys,

Remember that you will need to disable all smartblocking signatures' email notification after every sigset update (and make sure the rest non SB sigs are notifying).  With every new sigset rules get updated, so new ones may be added, existing ones may be moved into SB base on fidelity.

Regards

David

Travler
Level 10
Report Inappropriate Content
Message 9 of 13

Re: email alerts for SmartBlocking events

That's a very good point, David.

That is one reason I was hoping to find a "universal" setting that could be set.  Having to micro-manage each definition is out of the question.  (I currently see nearly 8000 definitions that are being SmartBlocked.)

Despite having set the E-Mail setting in my test definition's Manager Action to Disabled, I'm still getting emails about it, so it obviously is not working as I'd hoped.

If I get the time (haha) I may contact Support to see if they know of a way to do what I'm after.

d_aloy
Level 12
Report Inappropriate Content
Message 10 of 13

Re: email alerts for SmartBlocking events

No worries Travler... Smiley Happy

I was just thinking if  you could use the API to modify the email notification settings of a signature - based on the signature's Smartblocking Settings (Yes/No)?

I am not sure it would work to be honest.... I don't believe (from memory) the API goes deep enough to the signature level...

If anyone has the time to test/check, and let us know... that would be great!

 

Cheers

David

 

P.S: I can think of some manual tricks to read and update these settings via scripting directly on the database... But... it would not be supported! Definitely! Smiley Wink