The feature you are looking for is IPS Quarantine.
If you were to block the attack, it's only going to block the specific traffic that matches the signature.
The Quarantine feature will block all traffic from the host for a period of time. The available time periods are 5 minutes to 60 minutes.
If you want it to require triggering a number of times first you can create a Reconnaissance Attack that can be configured as a "Brute Force" correlation to require a count of attcks in a time interval before triggering.
After creating the Reconn attack, go into the policy editor and enable Quarantine for the attack.
Thanks gfergus1. I had just found the quarantine info after poking around waiting for a reply, but how to setup the "brute force" correlation I would have fumbled over without your help.
I will try to further define my requirement. Sorry for the lack of correct wording, but I will give it a try.
I understand what gfergus1 is saying and I think he is answering my next question when he said "If you were to block the attack, it's only going to block the specific traffic that matches the signature", but I will give it a shot.
Is there anyway to enable quarantine for any attack that comes from a single IP for x number of times over x time period, signature independant. I am trying to auotmate the process as much as possible. It would be nice if it would quarantine for say 1 hr when the number of attacks over a given period of time triggers the quarantine rather than having to create reconn attack for every count I see high for a particular signature from a particular IP address.
Does that help to further define my query?
Unfortunately there isn't a way to do that. You can create a Recon attack for a "brute force" for each signature, but there's not a 'wider' view of attack responses.
That would be a good feature request which you can submit at https://mcafee.acceptondemand.com/
Thank you for the info Gfergus1.