08-22-2023 10:54 AM
I want to confirm the order of precedence for security profile rules, default actions, and exceptions. For example, the default action for the SSH User Authentication Brute Force Attempt threat is alert. However, the threat profile rule associated (simple-server-high) has an action of reset-both. I think the rule action will override the default action of the signature meaning that the action of reset-both will be taken. Is that correct?
As a follow up, in that scenario I also have exceptions for a few IPs with that use the default action of alert. I think the exception will take precedence and the action will be to alert. Is that correct?
To summarize, I think rules override the default action but exceptions override both the rules and original default action when an exception is enabled. Is that correct?
08-22-2023 09:49 PM
Yes, that should be how it works. Please report it here if you actually get a different result.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
