Difference between revisions of "Intrusion Prevention FAQs"

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:FAQs]]
 
[[Category:FAQs]]
 
=== Is Intrusion Prevention based on an open source project? ===
 
=== Is Intrusion Prevention based on an open source project? ===
Yes, Intrusion Prevention is based on [http://www.snort.org Snort].
+
Yes, Intrusion Prevention is based on [http://suricata-ids.org/ Suricata].
  
 +
=== Why is there no reference information for a specific signature? ===
  
=== Why is there no reference information for a specific rule? ===
+
If there is no information link available for a specific signautre, you can try searching the signature ID at [https://rules.emergingthreats.net/open/suricata-2.0/rules/ Suricata Rules] for more info.
  
If there is no information link available for a specific rule, you can try searching the rule ID at [https://www.snort.org/downloads/#rule-downloads Snort Rules] for more info.
+
=== Why aren't most of Intrusion Prevention's signatures blocked by default? ===
  
 +
Because many signatures can block legitimate traffic in addition to malicious exploits we don't enable blocking by default. 
  
=== Why aren't most of Intrusion Prevention's rules blocked by default? ===
+
You're free to change the action of any rule to block signatures as you see fit for your network.
  
Because many rules can block legitimate traffic in addition to malicious exploits we don't enable blocking by default. 
+
=== Can Intrusion Prevention rules be configured differently within different policies? ===
  
You're free to change the action of any rules as you see fit for your network.
+
No. Intrusion Prevention applies to all traffic flowing through NG Firewall so different configurations are not possible.
  
=== Can Intrusion Prevention rules be configured differently on Policy Manager racks? ===
+
=== What is the difference between rule block actions? ===
  
No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.
+
''Enable Block if Recommended is Log'' will only enable a signature to Block if its ''Recommended Action'' is Log.
  
 +
''Enable Block'' will unconditionally set all matching signatures to Block.
  
=== Why has Untangle has switched  to Emerging Threat rules? ===
+
The difference is that a signature's ''Recommended Action'' (almost always either Log or Disabled) is carefully considered by the signature provider.
 +
A rule set to ''Enable Block if Recommended is Log'' will likely set that smaller and "safer" set of signatures to Block whereas ''Enable Block'' will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.
  
We feel they better reflect real-world uses for our customer environments.  By default, more are enabled for logging.
+
=== How can I exclude network processing for signatures? ===
  
 +
Create a variable with the network you wish to exclude in standard CIDR format such as 192.168.1.0/24.  If you have multiple networks to exclude, create a comma-separated list surrounded by square brackets such as [192.168.25.1.0/24,10.10.0.0/24].
  
=== Why is this rule set smaller? ===
+
Next, create a rule to match the signatures you wish to exclude.  For Action select Whitelist and then specify the variable you created to either Source or Destination networks.
  
The previous rule set had a considerable amount that was marked deleted.
+
NOTE: Unlike other Rule actions, the Whitelist action doesn't enable logging/blocking for rules.  Signatures affected by Whitelist rules will still be processed by the first matching non-Whitelist Rule.
  
 +
=== How do I extend the HOME_NET variable? ===
  
=== How does this affect my IPS deployment? ===
+
IPS attempts to determine the appropriate HOME_NET based on your network configuration but if a network doesn't appear to be in the list (mouse over the variable), you can either replace the HOME_NET variable value entirely or append to the existing using by leaving the default value and adding a comma separated list of additional CIDR formatted networks such as default,10.10.10.10/32,192.168.2.0/24.
 
 
For most customer who have configured through the IPS Wizard there will be more rules enabled for logging and slightly more memory usage. If you had any rules configured to block, those settings could be changed due to removed rules.
 

Latest revision as of 18:40, 3 May 2022

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Suricata.

Why is there no reference information for a specific signature?

If there is no information link available for a specific signautre, you can try searching the signature ID at Suricata Rules for more info.

Why aren't most of Intrusion Prevention's signatures blocked by default?

Because many signatures can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rule to block signatures as you see fit for your network.

Can Intrusion Prevention rules be configured differently within different policies?

No. Intrusion Prevention applies to all traffic flowing through NG Firewall so different configurations are not possible.

What is the difference between rule block actions?

Enable Block if Recommended is Log will only enable a signature to Block if its Recommended Action is Log.

Enable Block will unconditionally set all matching signatures to Block.

The difference is that a signature's Recommended Action (almost always either Log or Disabled) is carefully considered by the signature provider. A rule set to Enable Block if Recommended is Log will likely set that smaller and "safer" set of signatures to Block whereas Enable Block will likely set a larger set of signatures with more potential to disrupt legitimate traffic on your network.

How can I exclude network processing for signatures?

Create a variable with the network you wish to exclude in standard CIDR format such as 192.168.1.0/24. If you have multiple networks to exclude, create a comma-separated list surrounded by square brackets such as [192.168.25.1.0/24,10.10.0.0/24].

Next, create a rule to match the signatures you wish to exclude. For Action select Whitelist and then specify the variable you created to either Source or Destination networks.

NOTE: Unlike other Rule actions, the Whitelist action doesn't enable logging/blocking for rules. Signatures affected by Whitelist rules will still be processed by the first matching non-Whitelist Rule.

How do I extend the HOME_NET variable?

IPS attempts to determine the appropriate HOME_NET based on your network configuration but if a network doesn't appear to be in the list (mouse over the variable), you can either replace the HOME_NET variable value entirely or append to the existing using by leaving the default value and adding a comma separated list of additional CIDR formatted networks such as default,10.10.10.10/32,192.168.2.0/24.