Views:
You can modify the criteria defined in the policy and more finely-tune the default response.

Procedure

  1. On the Responder navigation pane, click Policies.
  2. On the Policies screen, select the Default Response entry from the Active Responder Policies list, and then click Edit.
    The Active Response Policy wizard opens.
  3. On the Initiation and Timeout screen, enter the following information:
    • Specify the mechanism to use to initiate the policy. See Policy initiation.
    • To set a timeout option, select Enable Automatic Timeout and enter a time in minutes, hours, or days.
    Note
    Note
    Enabling automatic timeout automatically ends the continued application of Response Actions after the prescribed time limit even if remediation has not occurred.
  4. Click Inclusions and Exclusions.
  5. Specify the hosts/networks to Allow Active Response or Never Respond.
  6. Click the arrow next to a field to add an existing Named Resource or to create a new Named Resource.
  7. If it is enabled, select Correlation and Thresholding, and provide settings in the Automatic Response Configuration and Qualified Filter Hit Notifications sections.
    Note
    Note
    The Correlation and Thresholding screen is available only if you select Enable Policy on the Initiation and Timeout screen.
  8. Select Actions, and then enter the following information:
    • Priority — The order in which the actions are to be performed.
    • Action — Name assigned to the action that you created.
    • Condition — Trigger for running the action. This option is set when you add a new action to the Response Policy. You can change it by editing a select action on this screen.
    • Dependency — Specify what other action must take place for this action to be triggered.
  9. Click Add to add a Response Action, or select an existing action entry, and then click Edit.
  10. In the Response Action dialog, enter the following information:
    • Select an Action from the menu, or click New to create a new Response Action.
    • Select an option under Conditional Execution. The selections available in the Action menu are Response Actions from the Active Response (Actions) area.
  11. To create dependencies when you add an action:
    1. In the Action list, select an action to add.
    2. Under Conditional Execution, select either Only on success of or Only on failure of.
    3. In the list, select the action to connect for dependency.
      For example, if you add an action called Email Admin with an action type of Email, you have an existing action called Switch Down (Switch Disconnect type). For Email Admin, if you specify Only on success of Switch Down, then when the switch goes down, the email action sends a message informing the network administrator.
  12. On the Actions screen, review the listed actions.
    To change the priority of a selected action, use the up and down arrows to change the location of the selected action in the list.
  13. In the IPS Destinations screen, select which devices will receive the Response Policy.
    • To distribute to all IPS devices, select the All Devices checkbox.
    • To distribute to selected IPS devices, expand the All Devices entry, and then select one or more IPS devices.
  14. Click OK.