Difference between revisions of "Intrusion Prevention3"

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
(Blanked the page)
Line 1: Line 1:
<span style="display:none" class="helpSource intrusion_prevention">Intrusion_Prevention</span>
<span style="display:none" class="helpSource intrusion_prevention_status">Intrusion_Prevention#Status</span>
<span style="display:none" class="helpSource intrusion_prevention_rules">Intrusion_Prevention#Rules</span>
<span style="display:none" class="helpSource intrusion_prevention_variables">Intrusion_Prevention#Variables</span>
<span style="display:none" class="helpSource intrusion_prevention_event_log">Intrusion_Prevention#Event_Log</span>
{| width='100%'
| align="center" | [[Image:IntrusionPrevention.png|128px]] &nbsp; &nbsp; '''Intrusion Prevention'''
| align="center" |
| Other Links:
|[http://www.untangle.com/store/intrusion-prevention.html Intrusion Prevention Description Page]
|[http://demo.untangle.com/admin/index.do#service/intrusion-prevention Intrusion Prevention Demo]
|[http://forums.untangle.com/intrusion-prevention/ Intrusion Prevention Forums]
|[[Intrusion Prevention Reports]]
|[[Intrusion Prevention FAQs]]
== About Intrusion Prevention ==
Intrusion Prevention is an [http://en.wikipedia.org/wiki/Intrusion_detection_systems Intrusion Detection system] that detects malicious activity on your network.
To detect malicious activity, Intrusion Prevention uses ''signatures'', a method that draws upon a database of known attack patterns.
If a network [http://en.wikipedia.org/wiki/Session_%28computer_science%29 session] matches a signature, its enabled ''action'' directs Intrusion Prevention to
''Log'' (records the incident but '''does not stop''' the activity) or ''Block'' (records the incident and '''does stop''' the activity).
There is tremendous diversity between networks and it is possible for a signature to correctly identify malicious activity on one network and incorrectly match legitimate traffic on another.
Logging all matching signatures can make it difficult to effectively monitor Intrusion Prevention and blocking can disrupt legitimate traffic causing cause your network to appear to be broken. 
Therefore it is perfectly legitimate for there to be many signatures set as ''disabled'' or not active in Intrusion Prevention.
In fact, it is advised that you use to the ''Recommended'' actions as specified by the signature database providers.
The database contains over 26,000 signatures making it difficult to manage signatures directly.
''Rules'' are used to configure groups of signatures on matching various attributes.
A condition can match an attribute such as classtype. For all signatures that match, they are configured in Intrusion Prevention according to the rule action.
Any signature not matched by a rule is Disabled.
A default set of rules based on system memory are enabled by default.
The signature database is automatically updated several times a week.  New and updated rules will be configured as determined by rules.
All detected activity for enabled signatures is recorded to the Intrusion Prevention ''All Events'' log.  You should review this log on a daily basis.
''Note:'' Intrusion Prevention installs but is off by default.
''Note:'' Intrusion Prevention can be memory intensive and requires at least 2GB of RAM.  The amount used is a combination of the number of enabled signatures and the amount of traffic that goes through your system.
== Settings ==
=== Status ===
The Status tab shows the following information:
* Memory Usage.  The amount of system memory the IPS engine is using compared to your installed system memory.
* Metrics.  The number of blocked, logged, and scanned sessions.
* Overview.  Signatures and Signature Updates.
** Signatures.  Total number of signatures available and the number set for Log, Block, Disabled.
** Updates.  The last time the signature database was updated and the last time a check was performed.  Database updates do not occur on each check.
=== Rules ===
Rules allow you to control which signatures are enabled (and their actions) or disabled.
Signatures are processed in rule order.
Any signature not matched by a rule is disabled.
The [[Rules|Rules documentation]] describes how rules generally work and how they are configured.  The major difference for Intrusion Prevention is the Conditions List.
At the bottom of the tab a stats bar indicates how many signatures are affected by the currently defined rules.
When adding or editing a rule, the bottom of the edit window will show how many signatures are affected by the conditions as you build the rule.
==== Rule Conditions ====
Conditions define which signatures will match the rule. If and only if all of the conditions match, the rule is considered a match.
The following conditions are specific to Intrusion Prevention rules:
{| border="1" cellpadding="2" font="sans-serif" style="border-collapse: collapse;"
! style="text-align: left" | Name
! style="text-align: left" | Syntax
! style="text-align: left" | Function
| Signature identifier
| Numeric
| Matches if value matches the exact or partial signature identifier.
| Group identifier
| Numeric
| Matches if value matches the exact or partial group identifier.
| Category
| Checkbox
| Matches if value is in one of the checked categories.
| Classtype
| Checkbox
| Matches if value is in one of the checked classtypes.
| Message
| Text
| Matches if value matches the exact or partial signature subject message.
| Protocol
| Checkbox
| Matches if value is in one of the checked protocols.
| Source Address
| Text
| Matches if value matches the exact or partial source address.
| Source Port
| Text
| Matches if value matches the exact or partial source port.
| Destination Address
| Text
| Matches if value matches the exact or partial destination address.
| Destination Port
| Text
| Matches if value matches the exact or partial destination port.
| Signature
| Text
| Matches if value matches the exact or any part of the entire signature.
| Custom
| Boolean
| Matches if value is a custom signature.
| Recommended Action
| Select
| Matches if value is a signature's recommended action.
| System Memory
| Numeric
| Matches if system memory matches this value.
==== Rule Actions ====
When all conditions are met, signatures will be configured into Intrusion Prevention as follows:
{| border="1" cellpadding="2" font="sans-serif" style="border-collapse: collapse;"
! style="text-align: left" | Action
! style="text-align: left" | Function
| Recommended
| Each signature will use their specific Recommended Action.  If that Recommended Action is disabled, it will not be enabled at all.
| Enable Log
| Each signature will be enabled to log.
| Enable Block if Recommended is Log
| Only if the signature's Recommended Action is Log will the signature be configured for Block.  Use this for "wide" condition matches like classtype.
| Enable Block
| Each signature will be enabled to block.  Use this for "narrow" matches like sid and gid.
| Disable
| Each signature will be disabled and not used by Intrusion Prevention.
=== Signatures ===
The Signature tab shows the entire database of signatures, both the defaults set provided as well as any custom signatures you may add.
==== Navigation ====
By default, signatures are grouped by classtype and you can expand the groups to view the individual signatures. 
To better find specific signatures, you can use the Filter to select signature fields and the match you're looking for.  The grid view will change to show those signatures matching the filter.
If your filter returned one or more matches, you can create a rule from the filter by clicking Create Rule. 
Mousing over grid cell will show appropriate information related to that cell.  For example, if you mouse over the Rule Action cell, you'll see which rule is affecting this signature.
==== Custom Signatures ====
You may create and maintain your own signatures, but most use the default database.
If you wish to add custom signatures you can do so either by clicking Add.
Alternatively, if you wish to create a new custom signature on an existing signature, you can click Copy then edit that copy.
'''NOTE:''' Don't be tempted to copy a signature to change its Recommended Action.  Create a Rule instead!
=== Variables ===
This tab provides administrators access to Suricata variables. These variables are used in rules to specify criteria for the source and destination of a packet.
Suricata's most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect - it is computer automatically based on your network configuration - it includes all local networks (including aliases).  Under nearly every circumstance you will want to leave these values as-is.
Using the Add button, custom variables can be added. Adding variables may be used by users adding their own rules.This should only be attempted by advanced users with a strong knowledge of Suricata signature creation.
== Updates ==
The signature database is checked automatically every night.  Updates are typically released 2-3 times week.
The signature database does not affect custom signatures.
New signatures will be integrated into Intrusion Prevention according to defined rules.
== Reports ==
{{:Intrusion Prevention Reports}}
== All Events ==
The All Events report shows all enabled signature matches found by Intrusion Prevention.
If there are signatures that are currently set to an action of Log and you determine the signature should in fact be Block, you can click the Block button on the far right.
The Block button is disabled for any signature that is already blocked. 
== Related Topics ==
[http://en.wikipedia.org/wiki/Intrusion_prevention_system Intrusion Prevention Systems]
[https://suricata.readthedocs.io/en/suricata-3.2.1/rules/index.html Suricata - Writing Suricata Signatures]
== Intrusion Prevention FAQs ==
{{:Intrusion Prevention FAQs}}

Latest revision as of 20:57, 13 November 2018