Personal tools

Intrusion Prevention

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide


Image:IntrusionPrevention_128x128.png     Intrusion Prevention
Other Links:
Intrusion Prevention Description Page
Intrusion Prevention Screenshots
Intrusion Prevention Forums
Intrusion Prevention FAQs



Contents

[edit]

About Intrusion Prevention

Intrusion Prevention is an ID (Intrusion Detection) system that intercepts all traffic and detects malicious activity on either the network or individual computers or both. To detect malicious activity, Intrusion Prevention uses signature detection, a method that draws upon a database of known attack patterns. Intrusion Prevention's interception of malicious activity does not have any impact on system performance and is transparent to users, with the exception of the malicious user. If Intrusion Prevention detects malicious activity, the session for that activity is terminated.

Intrusion Prevention is pre-configured with reasonable defaults. Because of this it does not require much customization, though you can change these defaults or add your own rules, as Blocking or Logging using Intrusion Prevention Rules shows.


[edit]

Settings

This section reviews the different settings and configuration options available for Intrusion Prevention.


[edit]

Status

The Status tab simply shows you information about Intrusion Prevention's definitions - there is nothing to configure.


[edit]

Rules

Intrusion Prevention provides a list of rules (signatures) that you can block, log, or ignore. To make things easy for you, Untangle evaluated each rule and numerous networks, and determined the appropriate default settings for each rule using the following criteria:

  • If the rule is always known to block malicious exploits, Intrusion Prevention blocks and logs this rule by default.
  • If the rule is sometimes known to block malicious exploits, Intrusion Prevention logs this rule by default.
  • If the rule is never known to block malicious exploits, Intrusion Prevention neither blocks nor logs this rule by default.

In most cases, you do not need to change the default settings. You should only need to disable a rule if that rule blocks traffic from a unique software application that you must use.

  • If you block a rule, Intrusion Prevention enables the rule and blocks traffic that matches the rule signature.
  • If you log a rule, Intrusion Prevention logs traffic that matches the rule signature.

To block or log a rule:

  1. From Intrusion Prevention, click the Show Settings tab.
  2. Click the Rules tab.
  3. In the Rules table, select the block or log check box for the rules that you want to block or log or both.
  4. Click either the OK or Apply button.


[edit]

About Rule Variables

Intrusion Prevention provides a list of default rules that block exploits. There are also rule variables that provide additional instructions for these rules. These rules are called Snort variables. These variables are used in rules to specify criteria for the source and destination of a packet. Snorts most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect.

Under no circumstance should you change or delete these exceptions. You can add exceptions, but only if you are very familiar with Snort variables and the snort.conf configuration file.

To view rule variables:

  1. From Intrusion Prevention, click the Show Settings button.
  2. Click the Rules tab.
  3. Scroll down to the Variables table. This table contains all the rule exceptions.


[edit]

Learning More About Signature ID Rules

Intrusion Prevention is based on http://www.snort.org. If you want to learn more about the exploits that Intrusion Prevention blocks or the signature IDs (SIDs) that Intrusion Prevention uses, do one of the following:

  • From Intrusion Prevention, click the Rules tab, then, for a give rule, click the info link in the info column. A web page launches, providing you more information about the exploit.
Blocking or Logging an Intrusion Prevention Rule.
Enlarge
Blocking or Logging an Intrusion Prevention Rule.
  • If a rule in Intrusion Prevention state no info in the info column, then search for the SID on snort.org's website as shown in Searching snort.org for SID Rules. A SID is a numeric number; you can locate the SID in the id column of Intrusion Prevention.
Searching snort.org for SID Rules
Enlarge
Searching snort.org for SID Rules


[edit]

Event Log

Use the following terms and definitions to understand the Intrusion Prevention Event Log:

timestamp The time the event took place.
action The action that was taken on the traffic. Valid values are block and pass.
client The client IP address of the traffic.
reason for action The rule that was applied to the traffic.
server The intended server IP address of the traffic.


[edit]

Related Topics

Intrusion Prevention Systems


[edit]

Intrusion Prevention FAQs

[edit]

Why aren't most of Intrusion Prevention's rules blocked by default?

Because most of the rules can block non-malicious traffic in addition to malicious exploits. To make things easy for you, Untangle evaluated each rule and numerous networks, and determined the appropriate default settings for each rule using the following criteria:

  • If the rule is always known to block malicious exploits, Intrusion Prevention blocks and logs this rule by default.
  • If the rule is sometimes known to block malicious exploits, Intrusion Prevention logs this rule by default.
  • If the rule is never known to block malicious exploits, Intrusion Prevention neither blocks nor logs this rule by default.

To change the defaults, go to Blocking or Logging using Intrusion Prevention Rules.

Retrieved from "http://wiki.untangle.com/index.php/Intrusion_Prevention"