Intrusion Prevention FAQs

From UntangleWiki
Revision as of 15:14, 12 November 2018 by Cblaise (talk | contribs) (Why aren't most of Intrusion Prevention's rules blocked by default?)

Jump to: navigation, search

Is Intrusion Prevention based on an open source project?

Yes, Intrusion Prevention is based on Suricata.

Why is there no reference information for a specific signature?

If there is no information link available for a specific signautre, you can try searching the signature ID at Suricata Rules for more info.

Why aren't most of Intrusion Prevention's signatures blocked by default?

Because many signatures can block legitimate traffic in addition to malicious exploits we don't enable blocking by default.

You're free to change the action of any rule to block signatures as you see fit for your network.

Can Intrusion Prevention rules be configured differently on Policy Manager racks?

No. Intrusion Prevention applies to all traffic flowing through Untangle so different configurations are not possible.

Why has Untangle has switched to Emerging Threat rules?

We feel they better reflect real-world uses for our customer environments. By default, more are enabled for logging.

Why is this rule set smaller?

The previous rule set had a considerable amount that was marked deleted.

How does this affect my IPS deployment?

For most customer who have configured through the IPS Wizard there will be more rules enabled for logging and slightly more memory usage. If you had any rules configured to block, those settings could be changed due to removed rules.