All,
In our Enterprise network, we have a Websense server. This server permits or denies access to various websites. I am trying to tune LEM not to generate an event unless this server receives 150 permits or 150 denies in one second. But I am stuck at which Rule I should adjust.
The filter created displays to capture events displays TCPTrafficAudit events. When I look at the Rules, I see the following. Which Rule should I adjust?
TCPTrafficAudit All Flags Set with possible Inference
TCPTrafficAudit FIN Bit Set with possible TCP Portscan Inference
TCPTrafficAudit No Bits Set with possible TCP PortScan Inference
TCPTrafficAudit with possible TCP PortScan Inference
TCPTrafficAudit with possible Unusual TCP Traffic Inference
TCPTrafficAudit With SYN FIN Bits Set with possible Inference
T.J.
Clik here to view.
