Intrusion Prevention
From UntangleWiki
Contents |
About Intrusion Prevention
Intrusion Prevention is an ID (Intrusion Detection) system that intercepts all traffic and detects malicious activity on either the network or individual computers or both. To detect malicious activity, Intrusion Prevention uses signature detection, a method that draws upon a database of known attack patterns.
Intrusion Prevention's interception of malicious activity does not have any impact on system performance and is transparent to users, with the exception of the malicious user. If Intrusion Prevention detects malicious activity, Intrusion Prevention terminates the session for that activity.
Intrusion Prevention is pre-configured with reasonable defaults. Therefore, Intrusion Prevention does not require much customization, though you can change these defaults or add your own rules, as Blocking or Logging an Intrusion Prevention Rule shows.
Blocking or Logging an Intrusion Prevention Rule
Intrusion Prevention provides a list of rules (signatures) that you can block, log, or ignore. To make things easy for you, Untangle evaluated each rule and numerous networks, and determined the appropriate default settings for each rule using the following criteria:
- If the rule is always known to block malicious exploits, Intrusion Prevention blocks and logs this rule by default.
- If the rule is sometimes known to block malicious exploits, Intrusion Prevention logs this rule by default.
- If the rule is never known to block malicious exploits, Intrusion Prevention neither blocks nor logs this rule by default.
In most cases, you do not need to change the default settings. You should only need to disable a rule if that rule blocks traffic from a unique software application that you must use.
- If you block a rule, Intrusion Prevention enables the rule and blocks traffic that matches the rule signature.
- If you log a rule, Intrusion Prevention logs traffic that matches the rule signature.
To block or log a rule:
- From Intrusion Prevention, click the Show Settings tab.
- Click the Advanced Settings tab, then click the Rule List tab.
- In the table, select the block or log check box.
- Click the Save Settings button.
Learning More About Signature ID Rules
Intrusion Prevention is based on http://www.snort.org. If you want to learn more about the exploits that Intrusion Prevention blocks or the signature IDs (SIDs) that Intrusion Prevention uses, do one of the following:
- From Intrusion Prevention, click the Show URL button.
- Search for the SID on snort.org's website as shown in Figure, Searching snort.org for SID Rules. A SID is a numeric number; you can locate the SID in the SID column of Intrusion Prevention as shown in Figure, Blocking or Logging an Intrusion Prevention Rule.
About Intrusion Prevention Event Logs
Use the following terms and definitions to understand Intrusion Prevention Event Log:
timestamp The time the event took place. action The action that was taken on the traffic. Valid values are block and pass. client The client IP address of the traffic. reason for action The rule that was applied to the traffic. server The intended server IP address of the traffic.
