4 Replies Latest reply on Jun 5, 2015 10:36 AM by tjreeddoc

    TCPTrafficAudit With SYN FIN Bits Set with possible Inference

    tjreeddoc

       

      All,

       

      In our Enterprise network, we have a Websense server.  This server permits or denies access to various websites.  I am trying to tune LEM not to generate an event unless this server receives 150 permits or 150 denies in one second.  But I am stuck at which Rule I should adjust.

       

      The filter created displays to capture events displays TCPTrafficAudit events.  When I look at the Rules, I see the following.  Which Rule should I adjust?

       

       

      TCPTrafficAudit All Flags Set with possible Inference

      TCPTrafficAudit FIN Bit Set with possible TCP Portscan Inference

      TCPTrafficAudit No Bits Set with possible TCP PortScan Inference

      TCPTrafficAudit with possible TCP PortScan Inference

      TCPTrafficAudit with possible Unusual TCP Traffic Inference

      TCPTrafficAudit With SYN FIN Bits Set with possible Inference

       

       

      T.J.