Threat Prevention Rules, Exceptions, Default Actions Precedence

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threat Prevention Rules, Exceptions, Default Actions Precedence

L1 Bithead

I want to confirm the order of precedence for security profile rules, default actions, and exceptions.  For example, the default action for the SSH User Authentication Brute Force Attempt threat is alert.  However, the threat profile rule associated (simple-server-high) has an action of reset-both.  I think the rule action will override the default action of the signature meaning that the action of reset-both will be taken.  Is that correct?


As a follow up, in that scenario I also have exceptions for a few IPs with that use the default action of alert.  I think the exception will take precedence and the action will be to alert.  Is that correct?


To summarize, I think rules override the default action but exceptions override both the rules and original default action when an exception is enabled.  Is that correct? 





L5 Sessionator

Yes, that should be how it works. Please report it here if you actually get a different result.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!