Difference between revisions of "Intrusion Prevention3"

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
(Blanked the page)
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
<span style="display:none" class="helpSource intrusion_prevention">Intrusion_Prevention</span>
<span style="display:none" class="helpSource intrusion_prevention_status">Intrusion_Prevention#Status</span>
<span style="display:none" class="helpSource intrusion_prevention_rules">Intrusion_Prevention#Rules</span>
<span style="display:none" class="helpSource intrusion_prevention_variables">Intrusion_Prevention#Variables</span>
<span style="display:none" class="helpSource intrusion_prevention_event_log">Intrusion_Prevention#Event_Log</span>
{| width='100%'
| align="center" | [[Image:IntrusionPrevention.png|128px]] &nbsp; &nbsp; '''Intrusion Prevention'''
| align="center" |
| Other Links:
|[http://www.untangle.com/store/intrusion-prevention.html Intrusion Prevention Description Page]
|[http://demo.untangle.com/admin/index.do#service/intrusion-prevention Intrusion Prevention Demo]
|[http://forums.untangle.com/intrusion-prevention/ Intrusion Prevention Forums]
|[[Intrusion Prevention Reports]]
|[[Intrusion Prevention FAQs]]
== About Intrusion Prevention ==
Intrusion Prevention is an [http://en.wikipedia.org/wiki/Intrusion_detection_systems Intrusion Detection system] that detects malicious activity on your network.
To detect malicious activity, Intrusion Prevention uses signature detection, a method that draws upon a database of known attack patterns.
If Intrusion Prevention detects malicious activity, the [http://en.wikipedia.org/wiki/Session_%28computer_science%29 session] for that activity can be logged or blocked.
''Note:'' Intrusion Prevention installs but is off by default.
=== Overview ===
Signatures match malicious network traffic patterns and perform actions such as logging without affecting the session or blocking the session.
A signature may also be disabled.
Matching patterns and performing an action is how IPS works.
A signature's Recommended Action is recommended by the provider.  Its action can be set to Log, Block, or Disabled.  If Disabled, the signature is not loaded into memory. 
Providers rare never set a signautre's Recommendation Action to block as pattern matching is not always perfect and can cause a false positive. 
Blocking a false positive prevents legitimate traffic on your network so enabling the Block action should be done with caution.
Rules are used to set a group of one or more signature's actions, allowing you to effectively manage the large number of recommended signatures, current around 26,0000 signatures.
Rules can match signature conditions such as a signature's classtype or category groupings.
On a match, a rule will cause a signature to be enabled (Log, Block), disabled, or follow Recommended actions.
Any signature not matched by a rule is Disabled.
Recommended signatures are automatically updated several times a week.  Whether new or updated signatures are enabled is determined by your rule settings.
All enabled and matched signature sessions are logged to the Intrusion Prevention All Events log.  It's highly recommended that you review this log on a daily basis.
=== Resource and Performance Considerations ===
Intrusion Prevention requires at least 2 gigabytes of RAM. 
The number of signatures enabled combined with amount of traffic on your network affect how much system memory is used by IPS.
Intrusion Prevention can be memory intensive.  How much is used is a combination of the number of signatures enabled for Log or Block and the amount of traffic that goes through your system.
Not all signatures should be enabled.
In the majority of cases, using Recommended actions for approrpiate classtypes is the most appropriate.
== Settings ==
=== Status ===
The Status tab shows the following information:
* Memory Usage.  The amount of system memory the IPS engine is using compared to your installed system memory.
* Metrics.  The number of blocked, logged, and scanned sessions.
* Overview.  Signatures and Signature Updates.
** Signatures.  Total number of signatures available and the number set for Log, Block, Disabled.
** Updates.  The last time signatures were updated and the last time a check was performed.  Updates do not neccessarily occur on each check.
=== Rules ===
Rules control whether signatures are active or not by matching conditions and performing actions upon signatures.
match characteristics of signatures and if matched, set signature action.
* Signature Identifier
* Group Identifier
* Category
* Classtype
* Message
* Protocol
* Source Address
* Source Port
* Destination Address
* Destination Port
* Any part of signature
* Custom signature
* Recommended Action
* System Memory
* Recommended
* Enable Log
* Enable Block if Recommended is Log
* Emable Block
* Disable
Simply uncheck '''Block''' (and '''Log''' if you wish) and the the traffic will no longer be blocked.
=== Signatures ===
Intrusion Prevention provides a list of [[#Learning More About Signature ID Rules|signatures]] that you can have Untangle '''Log''' or '''Block''' when traffic matches them. The rules are grouped by classtype and can be searched using the search field at the bottom of the page.
In most cases, you do not need to change the recommended settings. You should only need to disable a signature if that rule blocks traffic from a unique software application that you must use. CREATE RULES.
The signatures are automatically updated using the latest Suricata signatures.
*SID: The signature's identifier.
*Classtype: Suricata classtype (grouping) of the signature.
*Category: Suricata category (grouping) for the signature.
*Msg: Name of the signature.
*Reference: Links to reference information on the attack the signature will detect (if available).
*Log/Block: Enable these to log or block traffic matching the signature.
*Edit: Modify a a custom signature from the system.
*Copy: Copy a signature.  Copied signatures become part of the custom set.
*Delete: Delete a custom signature from the system.
Using the Add button, you can also add your own custom signatures to the system. This should only be attempted by advanced users with a strong knowledge of Suricata signature creation. Adding invalid or poorly written rules will negatively impact network performance.
=== Variables ===
This tab provides administrators access to Suricata variables. These variables are used in rules to specify criteria for the source and destination of a packet.
Suricata's most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect - it is computer automatically based on your network configuration - it includes all local networks (including aliases).
Using the Add button, custom variables can be added. Adding variables may be used by users adding their own rules.This should only be attempted by advanced users with a strong knowledge of Suricata signature creation.
== Updates ==
Signatures are automatically updated every night.  Any rule modifications the administrator has made will remain.  New signatures are added with recommended actions.
== Reports ==
{{:Intrusion Prevention Reports}}
== All Events ==
== Related Topics ==
[http://en.wikipedia.org/wiki/Intrusion_prevention_system Intrusion Prevention Systems]
[https://suricata.readthedocs.io/en/suricata-3.2.1/rules/index.html Suricata - Writing Suricata Signatures]
== Intrusion Prevention FAQs ==
{{:Intrusion Prevention FAQs}}

Latest revision as of 20:57, 13 November 2018