Intrusion Prevention

From UntangleWiki
Jump to: navigation, search

IntrusionPrevention 128x128.png     Intrusion Prevention
Other Links:
Intrusion Prevention Description Page
Intrusion Prevention Screenshots
Intrusion Prevention Forums
Intrusion Prevention Reports
Intrusion Prevention FAQs




About Intrusion Prevention

Intrusion Prevention is an Intrusion Detection system that detects malicious activity on your network. To detect malicious activity, Intrusion Prevention uses signature detection, a method that draws upon a database of known attack patterns. If Intrusion Prevention detects malicious activity, the session for that activity is terminated.

Note: Intrusion Prevention installs but is off by default. When you enable Intrusion Prevention for the first time, you will be presented with a setup wizard. It is highly recommended to complete the wizard and use the recommended configuration. Using a custom configuration and enabling too many signatures may negatively impact your network.

Note: Intrusion Prevention requires at least 2 gigabytes of RAM.

Setup Wizard

Intrusion Prevention includes a setup wizard to help optimize the The wizard is designed to help you correctly configure the appropriate amount of rules for your network by selecting rule identifiers: classtypes and categories. The more that you select, the more rules will be enabled.

Again, too many enabled rules may negatively impact your network, so it is highly suggested to use the recommended settings.

Step 1 - Classtypes

Classtypes are a generalized grouping for rules, such as attempts to gain user access or web application attacks. The recommended settings will enable all classtypes with a medium or higher threat level. It is highly suggested to use the recommended setting.

To enable low level classtypes or disable the recommended classtypes you can choose the Custom radio option. You will see a list of all classtypes and have the ability to enable or disable to meet your needs.

Step 2 - Categories

Categories are a different rule grouping that can span multiple classtypes, such as VOIP access or operating systems. The recommended setting is to enable the preprocessor_portscan which is always included. It is highly suggested to use the recommended setting.

To other categories choose the Select by name radio option. You will see a list of all categories and have the ability to enable or disable additional categories.


After Step 2 the Intrusion Prevention setup wizard is complete. Based on your selections and the amount of memory in your system, the appropriate Intrusion Prevention rules will automatically be enabled.

Note: You can always re-run the setup wizard at any time using the Run Intrusion Detection/Prevention Setup Wizard button on the Status tab. This is useful to reset back to the recommended settings if you find problems with network performance.


Settings

Status

The Status tab simply shows you information about Intrusion Prevention's definitions - there is nothing to configure.

Click the Run Intrusion Detection/Prevention Setup Wizard to re-run the setup wizard.


Rules

Intrusion Prevention provides a list of rules (signatures) that you can have Untangle Log or Block when traffic matches them. The rules are grouped by classtype and can be searched using the search field at the bottom of the page.

Intrusion Prevention Rules

In most cases, you do not need to change the default settings configured in the setup wizard. You should only need to disable a rule if that rule blocks traffic from a unique software application that you must use. Simply uncheck Block (and Log if you wish) and the the traffic will no longer be blocked.

The rules are automatically updated using the latest Snort signatures.

  • SID: The signature ID of the rule.
  • Classtype: Snort classtype (grouping) of the rule.
  • Category: Snort category (grouping) for the rule.
  • Msg: Name of the signature.
  • Reference: Links to reference information on the attack the signature will detect (if available).
  • Log/Block: Enable these to log or block traffic matching the signature.
  • Edit: Edit the rule. This is not recommended and should only be attempted by advanced users with a strong understanding of Snort rules. Invalid or poorly written rules will negatively impact network performance.
  • Delete: Delete the rule from the system.


Using the Add button, you can also add your own signatures to the system. This should only be attempted by advanced users with a strong knowledge of Snort signature creation. Adding invalid or poorly written rules will negatively impact network performance.


Variables

This tab provides administrators access to Snort variables. These variables are used in rules to specify criteria for the source and destination of a packet.

Snorts most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect - it is computer automatically based on your network configuration - it includes all local networks (including aliases).

Using the Add button, custom variables can be added. Adding variables may be used by users adding their own rules.This should only be attempted by advanced users with a strong knowledge of Snort signature creation.

Updates

Rules are automatically updated every night. Any rule modifications the administrator has made will remain even if the rule's behavior is updated. New rules are added with the recommended Log action. Deleted rules are not removed unless they are not enabled (neither Log or Block).

Reports

The Reports tab provides a view of all reports and events for all traffic handled by Intrusion Prevention.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
Intrusion Prevention Summary A summary of intrusion detection and prevention actions.
Intrusion Detection (all) The amount of detected and blocked intrusions over time.
Intrusion Detection (logged) The amount of detected pintrusions over time.
Intrusion Detection (blocked) The amount of blocked intrusions over time.
Top Rules (logged) The number of intrusions detected grouped by rule.
Top Rules (blocked) The number of intrusions blocked by rule.
Top Classtypes (logged) The number of intrusions detected grouped by classtype.
Top Classtypes (blocked) The number of intrusions blocked by classtype.
Top Categories (logged) The number of intrusions detected grouped by category.
Top Categories (blocked) The number of intrusions blocked by category.
Top Source IP Addresses (logged) The number of intrusions detected grouped by source IP address.
Top Source IP Addresses (blocked) The number of intrusions blocked by source IP address.
Top Source Ports (logged) The number of intrusions detected grouped by source port.
Top Source Port (blocked) The number of intrusions blocked by source port.
Top Destination IP Addresses (logged) The number of intrusions detected grouped by destination IP address.
Top Destination IP Addresses (blocked) The number of intrusions blocked by destination IP address.
Top Destination Ports (logged) The number of intrusions detected grouped by destination port.
Top Destination Port (blocked) The number of intrusions blocked by destination port.
Top Protocols (logged) The number of intrusions detected grouped by protocol.
Top Protocols (blocked) The number of intrusions blocked by protocol.
All Events All sessions scanned by Intrusion Prevention.
Blocked Events All sessions matching Intrusion Prevention signatures and blocked.


The tables queried to render these reports:



Related Topics

Intrusion Prevention Systems

Snort - Writing Good Snort Rules

Snort - Writing Snort Rules

Intrusion Prevention FAQs

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Snort.


Why is there no reference information for a specific rule?

If there is no information link available for a specific rule, you can try searching the rule ID at Snort Rules for more info.


Why aren't most of Intrusion Prevention's rules blocked by default?

Because many rules can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rules as you see fit for your network.

Can Intrusion Prevention rules be configured differently on Policy Manager racks?

No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.


Why has Untangle has switched to Emerging Threat rules?

We feel they better reflect real-world uses for our customer environments. By default, more are enabled for logging.


Why is this rule set smaller?

The previous rule set had a considerable amount that was marked deleted.


How does this affect my IPS deployment?

For most customer who have configured through the IPS Wizard there will be more rules enabled for logging and slightly more memory usage. If you had any rules configured to block, those settings could be changed due to removed rules.