advertisement
Threat Prevention
Create Threat Prevention Rules
The Threat Prevention feature runs a connection rules script each time a client tries to connect to the system.
The script determines whether to accept or reject a connection based on its threat prevention history. The script is also responsible for moving IP addresses into appropriate data groups, such as infected or spammers .
The full script itself is not editable, but it is updated with the condition statements and actions that are defined for each Threat Prevention rule. These rules are configurable, and the system checks the script when new rules are applied to ensure there are no syntax or execution errors.
Basic rule structure
The basic structure of a connection rule is as follows:
Rule Condition — A set of criteria that must be met for the rule to be triggered, such as
“stats1h.virus > 10” (10 or greater virus-infected messages sent in the last hour). The system collects over fifteen different types of data that can be used to create a rule condition.
Action — Action to take when the rule condition is met, such as Accept or Reject .
Reject code — The reject code to send back to the sending server, such as “temporary reject (450)” or
“permanent reject (550)”.
List — The data group to add this IP address to, if the condition is met. For example, a sender that triggers a spam rule can be placed in the spammers group.
Default connection rules
The default connection rules are active when the Threat Prevention feature is enabled. These rules include checks for typical conditions such as blocked clients, virus and junk mail senders, and denial of service (DoS) attempts. The default rules are also helpful for learning how to put together condition statements for customized connection rules.
Blacklisted clients
This rule checks to see if the client is already blocked by Threat Prevention. The condition statement
“is_blacklist” simply checks if the client is listed in the blacklist IP/CIDR list. If the check is true, the client will be rejected and added to the blacklisted data group.
User Guide 311
advertisement
Related manuals
advertisement