Configuring custom events, Configuration guide, Table 151 – H3C Technologies H3C SecCenter UTM Manager User Manual
Page 179
171
Table 151 Query option
Option Description
Virus Type
Select a virus type to query the corresponding viruses.
Details
Click the
icon to view the virus category detailed information, including virus
type, page, policy name, and the segment to which the policy applies. See
Figure 163 Virus category information
Configuring custom events
Massive security events occur on the network. It is helpful if network administrators are aware of the
critical network events in time. The custom event analysis function is thus introduced. With this function,
administrators custom an analysis policy by defining sources of the event data, event type, event name,
source IP/port of attacks, destination IP/port of attacks, and protocols. The event analysis engine then
correlates and analyzes the massive event data against analysis policies. If matching a policy, an event
is recorded and an alarm is triggered.
Event analysis engine adopts the correlation technique to correlate original events of different
characteristics and generate one event record for multiple repeated events in a specific period. The
correlation analysis greatly reduces amount of event records.
A custom event is an analysis policy that contains one or more rules. Before you get started with the
custom event analysis function, the following describes concepts that are involved:
•
Policy: A policy contains one or more rules. If all rules of a policy are matched during a time period
(association interval in the policy), an alarm is triggered (a custom event is recorded).
•
Rule: A rule contains on or more filters. If all filters of a rule are matched, the rule is considered to
be matched. A time period and a threshold of repeated matches can also be set for a rule.
•
Event: An original security event that the event analysis engine receives and processes.
•
Filter: Match criteria for different fields in an event, that is, the configuration items in a rule.
Configuration guide
From the navigation tree of the IPS management component, select Custom Events under Policy
Management to enter the custom event management page, as shown in
. You can configure
a custom event analysis policy. When attack or virus events match the policy, an alarm is triggered.
The custom event management page shows a list of custom events (analysis policies), displaying
information about the custom event name, level, notification method, number of unacknowledged events,
time when last alarm is triggered, and the status of the policy. The page also allows you to add new
custom events, delete, modify, export, and import custom events, edit the notification method of custom
events, enable or disable custom events, authorize operators, and remove authorization.
describes the custom event management functions.