Intrusion Prevention FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
Line 16: Line 16:


No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.
No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.
=== What is the difference between rule block actions? ===
''Enable Block if Recommended is Log'' will only enable a signature to Block if its ''Recommended Action'' is Log.
''Enable Block'' will unconditionally set all matching signatures to Block.
The difference is that a signature's ''Recommended Action'' (almost always either Log or Disabled) is carefully considered by the signature provider.
A rule set to ''Enable Block if Recommended is Log'' will likely set that smaller and "safer" set of signatures to Block whereas ''Enable Block'' will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.

Revision as of 21:05, 13 November 2018

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Suricata.

Why is there no reference information for a specific signature?

If there is no information link available for a specific signautre, you can try searching the signature ID at Suricata Rules for more info.

Why aren't most of Intrusion Prevention's signatures blocked by default?

Because many signatures can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rule to block signatures as you see fit for your network.

Can Intrusion Prevention rules be configured differently on Policy Manager racks?

No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.

What is the difference between rule block actions?

Enable Block if Recommended is Log will only enable a signature to Block if its Recommended Action is Log.

Enable Block will unconditionally set all matching signatures to Block.

The difference is that a signature's Recommended Action (almost always either Log or Disabled) is carefully considered by the signature provider. A rule set to Enable Block if Recommended is Log will likely set that smaller and "safer" set of signatures to Block whereas Enable Block will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.