3 Replies Latest reply on Mar 13, 2014 9:03 AM by regie

    Log files

    regie

      Hello everyone,

       

      I have a version 8 sidewinder that has been set up to send emails whenever it gets hit with excessive Netprobes, Acl denies, etc.

      What I would like to know if there is anyway to configure what is being sent? Specifically I would like to know what Ip address triggered the alert.

       

                                                        Thanks

        • 1. Re: Log files
          PhilM

          If you are receiving ACL Deny alerts and Netprobes they should both contain the source and destination IP addresses.

           

          Normally these types of messages arrive in pairs, the first telling you that the alert has been triggered (so many ACL deny events in a specific time frame) and the other containing a digest of the individual audit events. It is this second message where you will find the source and destination IP address details - along with protocol types, port numbers, etc...

           

          I don't believe you can actually change the contents of these alert e-mails, but you'll find some customization of the when and how aspects of these messages are delivered in the Monitor -> Attack Responses and Monitor -> System Responses GUI screens.

           

          -Phil.

          • 2. Re: Log files
            regie

            Thanks PhilM for the answer.

             

            I went into monitor->attack Responses and selected acl deny then selected response settings and  added my email address for a contact. I apoligize I failed to tell you that the alerts were sent as txt messages to my phone ( maybe my flip phone won't display that much text). most of the times however I would just receive one txt message that would display basically the attack type and time I would post one but I have cleared them all. I will wait until I get one in my email and see what that does and let you know. Again thank you.

             

            Regie

            • 3. Re: Log files
              regie

              Phil you were right.

              As usual when you want something to happen it doesn't I had to go into the firewall adjust the criteria in order to get a hit then checked my e-mail and it was there just like you said.

               

                                                                     Thanks again

                                                                          Regie