Intrusion Prevention FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(9 intermediate revisions by 2 users not shown)
Line 13: Line 13:
You're free to change the action of any rule to block signatures as you see fit for your network.
You're free to change the action of any rule to block signatures as you see fit for your network.


=== Can Intrusion Prevention rules be configured differently on Policy Manager racks? ===
=== Can Intrusion Prevention rules be configured differently within different policies? ===


No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.
No. Intrusion Prevention applies to all traffic flowing through NG Firewall so different configurations are not possible.


=== What is the difference between rule block actions? ===


=== Why has Untangle has switched  to Emerging Threat rules? ===
''Enable Block if Recommended is Log'' will only enable a signature to Block if its ''Recommended Action'' is Log.


We feel they better reflect real-world uses for our customer environments.  By default, more are enabled for logging.
''Enable Block'' will unconditionally set all matching signatures to Block.


The difference is that a signature's ''Recommended Action'' (almost always either Log or Disabled) is carefully considered by the signature provider.
A rule set to ''Enable Block if Recommended is Log'' will likely set that smaller and "safer" set of signatures to Block whereas ''Enable Block'' will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.


=== Why is this rule set smaller? ===
=== How can I exclude network processing for signatures? ===


The previous rule set had a considerable amount that was marked deleted.
Create a variable with the network you wish to exclude in standard CIDR format such as 192.168.1.0/24.  If you have multiple networks to exclude, create a comma-separated list surrounded by square brackets such as [192.168.25.1.0/24,10.10.0.0/24].


Next, create a rule to match the signatures you wish to exclude.  For Action select Whitelist and then specify the variable you created to either Source or Destination networks.


=== How does this affect my IPS deployment? ===
NOTE: Unlike other Rule actions, the Whitelist action doesn't enable logging/blocking for rules.  Signatures affected by Whitelist rules will still be processed by the first matching non-Whitelist Rule.


For most customer who have configured through the IPS Wizard there will be more rules enabled for logging and slightly more memory usage. If you had any rules configured to block, those settings could be changed due to removed rules.
=== How do I extend the HOME_NET variable? ===
 
IPS attempts to determine the appropriate HOME_NET based on your network configuration but if a network doesn't appear to be in the list (mouse over the variable), you can either replace the HOME_NET variable value entirely or append to the existing using by leaving the default value and adding a comma separated list of additional CIDR formatted networks such as default,10.10.10.10/32,192.168.2.0/24.

Latest revision as of 18:40, 3 May 2022

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Suricata.

Why is there no reference information for a specific signature?

If there is no information link available for a specific signautre, you can try searching the signature ID at Suricata Rules for more info.

Why aren't most of Intrusion Prevention's signatures blocked by default?

Because many signatures can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rule to block signatures as you see fit for your network.

Can Intrusion Prevention rules be configured differently within different policies?

No. Intrusion Prevention applies to all traffic flowing through NG Firewall so different configurations are not possible.

What is the difference between rule block actions?

Enable Block if Recommended is Log will only enable a signature to Block if its Recommended Action is Log.

Enable Block will unconditionally set all matching signatures to Block.

The difference is that a signature's Recommended Action (almost always either Log or Disabled) is carefully considered by the signature provider. A rule set to Enable Block if Recommended is Log will likely set that smaller and "safer" set of signatures to Block whereas Enable Block will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.

How can I exclude network processing for signatures?

Create a variable with the network you wish to exclude in standard CIDR format such as 192.168.1.0/24. If you have multiple networks to exclude, create a comma-separated list surrounded by square brackets such as [192.168.25.1.0/24,10.10.0.0/24].

Next, create a rule to match the signatures you wish to exclude. For Action select Whitelist and then specify the variable you created to either Source or Destination networks.

NOTE: Unlike other Rule actions, the Whitelist action doesn't enable logging/blocking for rules. Signatures affected by Whitelist rules will still be processed by the first matching non-Whitelist Rule.

How do I extend the HOME_NET variable?

IPS attempts to determine the appropriate HOME_NET based on your network configuration but if a network doesn't appear to be in the list (mouse over the variable), you can either replace the HOME_NET variable value entirely or append to the existing using by leaving the default value and adding a comma separated list of additional CIDR formatted networks such as default,10.10.10.10/32,192.168.2.0/24.