Responder has a number of configurable settings. You can configure triggers for a
response, set thresholds, supply the SMS with the URL where hosts that trigger responder
policies can be redirected, control the criteria by which a host action is closed,
and so on. When a response is triggered, the SMS uses an Active Responder policy to
manage affected hosts and halted traffic streams. Each policy requires a set of actions
and settings configured to respond to malicious traffic by using switches in the network
topology.
Responder is a policy-based service that reacts to triggers and performs a set of
actions. You configure and enable Responder policies in the SMS that determine how
the service reacts and what actions it takes. A policy can be triggered in several
ways: thresholding, manually, Web service, or escalation of an IPS Quarantine action.
You can configure policies to include or exclude sets of IP addresses. A policy incorporates
a dependency capability that allows actions in the list to execute conditionally,
based on the success or failure of other actions.
You configure Responder by creating active responder policies, specifying or creating
responder actions, configuring network equipment that will participate in the active
responder system, and configuring server options.