Intrusion Prevention

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide

Contents

About Intrusion Prevention

Intrusion Prevention is an ID (Intrusion Detection) system that intercepts all traffic and detects malicious activity on either the network or individual computers or both. To detect malicious activity, Intrusion Prevention uses signature detection, a method that draws upon a database of known attack patterns.

Intrusion Prevention's interception of malicious activity does not have any impact on system performance and is transparent to users, with the exception of the malicious user. If Intrusion Prevention detects malicious activity, Intrusion Prevention terminates the session for that activity.

Intrusion Prevention is pre-configured with reasonable defaults. Therefore, Intrusion Prevention does not require much customization, though you can change these defaults or add your own rules, as Blocking or Logging an Intrusion Prevention Rule shows.

Top

Blocking or Logging an Intrusion Prevention Rule

Intrusion Prevention provides a list of rules (signatures) that you can block, log, or ignore. To make things easy for you, Untangle evaluated each rule and numerous networks, and determined the appropriate default settings for each rule using the following criteria:

  • If the rule is always known to block malicious exploits, Intrusion Prevention blocks and logs this rule by default.
  • If the rule is sometimes known to block malicious exploits, Intrusion Prevention logs this rule by default.
  • If the rule is never known to block malicious exploits, Intrusion Prevention neither blocks nor logs this rule by default.

In most cases, you do not need to change the default settings. You should only need to disable a rule if that rule blocks traffic from a unique software application that you must use.

  • If you block a rule, Intrusion Prevention enables the rule and blocks traffic that matches the rule signature.
  • If you log a rule, Intrusion Prevention logs traffic that matches the rule signature.

To block or log a rule:

  1. From Intrusion Prevention, click the Show Settings tab.
  2. Click the Advanced Settings tab, then click the Rule List tab.
  3. In the table, select the block or log check box.
  4. Click the Save Settings button.


Top

Learning More About Signature ID Rules

Intrusion Prevention is based on http://www.snort.org. If you want to learn more about the exploits that Intrusion Prevention blocks or the signature IDs (SIDs) that Intrusion Prevention uses, do one of the following:

  • From Intrusion Prevention, click the Show URL button.
Figure, Searching snort.org for SID Rules
Figure, Searching snort.org for SID Rules
Figure, Searching snort.org for SID Rules
Figure, Searching snort.org for SID Rules

About Intrusion Prevention Event Logs

Use the following terms and definitions to understand Intrusion Prevention Event Log:

timestamp The time the event took place.
action The action that was taken on the traffic. Valid values are block and pass.
client The client IP address of the traffic.
reason for action The rule that was applied to the traffic.
server The intended server IP address of the traffic.

Top

Intrusion Prevention FAQs

Personal tools