Intrusion Prevention FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
 
Line 11: Line 11:
=== Why aren't most of Intrusion Prevention's rules blocked by default? ===
=== Why aren't most of Intrusion Prevention's rules blocked by default? ===


Because many rules can block non-malicious traffic in addition to malicious exploits we don't turn them all on by default. To make things easy for you, we've evaluated each rule and determined the appropriate default settings for each rule using the following criteria:
Because many rules can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.
 
* If the rule is '''always''' known to block malicious exploits, Intrusion Prevention blocks and logs this rule by default.
* If the rule is '''sometimes''' known to block malicious exploits, Intrusion Prevention logs this rule by default.
* If the rule is '''never''' known to block malicious exploits, Intrusion Prevention neither blocks nor logs this rule by default.
 
You're free to change the action of all rules as you see fit for your network.


You're free to change the action of any rules as you see fit for your network.


=== Can Intrusion Prevention rules be configured differently on Policy Manager racks? ===
=== Can Intrusion Prevention rules be configured differently on Policy Manager racks? ===

Revision as of 20:39, 14 December 2016

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Snort.


Why is there no reference information for a specific rule?

If there is no information link available for a specific rule, you can try searching the rule ID at Snort Rules for more info.


Why aren't most of Intrusion Prevention's rules blocked by default?

Because many rules can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rules as you see fit for your network.

Can Intrusion Prevention rules be configured differently on Policy Manager racks?

No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.


Why has Untangle has switched to Emerging Threat rules?

We feel they better reflect real-world uses for our customer environments. By default, more are enabled for logging.


Why is this rule set smaller?

The previous rule set had a considerable amount that was marked deleted.


How does this affect my IPS deployment?

For most customer who have configured through the IPS Wizard there will be more rules enabled for logging and slightly more memory usage. If you had any rules configured to block, those settings could be changed due to removed rules.