Policy Adjustment Based on Attack Events in ADS

Policy Adjustment Based on Attack Events in ADS

abril 5, 2024 | NSFOCUS

This article provides a brief explanation of policy fine-tuning in ADS. Please note that fine-tuning the protection policy is a time-consuming process. This article focuses on how to check attack details in ADS based on attack events and optimize policies accordingly. Due to different versions of ADS, the screenshots shown in the article may differ from the actual device webpage you are using. However, the functionalities demonstrated in the article can still serve as a reference.

1. Attack Details

Attack Details can be found in the Logs -> Attack Log section of the ADS. Considering performance reasons, ADS randomly selects and displays only 3 logs from the last 30 seconds. If you cannot find information about a specific attack, it may be due to this reason.

2.  Protection Event Statistics

Protection Event Statistics, which can be found in the Logs -> Protection Log section of the ADS, provides a comprehensive display of all attack events. Unlike the attack details, this section does not display the source IP information, but it can show the attack duration status of the specific defense group. You can adjust the corresponding protection policies based on the attack events displayed here.

3.  Policy Fine Tunning

For example, if the displayed attack event is “Invalid_SYN_Packet” as shown in the screenshot above, it indicates that the “Invalid SYN Packet Filtering” policy in the “Anomalous Packet Filtering Rules” was triggered due to an invalid length of the SYN packet. You can adjust the corresponding policy in the corresponding group, e.g., “DemoGroup@DemoRegion” in the screenshot above.

By following the steps above, you can perform some policy optimization. However, as previously mentioned, policy optimization is an ongoing process that requires consideration of your specific business needs.

If in doubt about algorithm use, please feel free to contact the support team (support@nsfocusglobal.com). In addition, NSFOCUS has an MSS (Managed Security Service) service. And MSS service has a dedicated SoC team to assist with policy adjustments. If you are interested, please feel free to contact the SOC team (mss-support@nsfocusglobal.com).