Network Intrusion (IDS/IPS)¶
Network Intrusion Profiles are a collect of Intrusion Detection and Protection (IDS/IPS) Rules that can be used to evaluate transactions to ensure the traffic is not malicious.
Valtix supports the following IDS/IPS Rule Sets:
Rule Sets | Description |
---|---|
Talos Rules | The Talos Rules are a premium set of Rules from Cisco based on intelligence gathered from real-world investigations, penetration tests and research that provide an advanced level of protection for applications and frameworks |
Custom Rules | The Custom Rules are a particular set of Rules written by customers that provide a specialized level of protection for custom applications |
Custom Rules¶
A Custom Rules Ruleset containing one or more Rules can be uploaded and used by the Valtix IDS/IPS security engine. The Rules contained within the Ruleset provide specialized application evaluations required by a customer for their specific applications and frameworks. The Custom Rules included in the IDS/IPS Profile will be evaluated first before evaluating any other Rulesets configured in the IDS/IPS Profile.
When uploading a Custom Rules Ruleset, the file should be a Gzip compressed TAR file with extension tar.gz
. The compressed TAR file will consist of the following files:
- Readme File - File that gives a description of the Ruleset
- Changelog File - File that represents the change history
- Rules Folder - Folder that consists of one or more ModSecurity formatted Rules files. Each file must have an extension
.conf
. The folder must contain at least one Rule file (cannot be empty). Each file must follow the ModSecurity Rules format guidelines.
Upload Custom IDS/IPS Rules¶
- Navigate to Manage -> Threat Research -> Network Intrusion
- Click the Custom tab
- Click the Import button and upload the Custom Rules Ruleset file
Create IDS/IPS Profile¶
- Navigate to Manage -> Profiles -> Network Threats
- Click Create Intrusion Profile -> Network Intrusion
General Settings¶
- Specify a Profile Name and Description
- Specify the Action
- Rule Default - Allow or Deny the requests based on the action specified in each triggered Rule and log an Event
- Allow Log - Allow the requests and log an event
- Allow No Log - Allow the requests and do not log an event
- Deny Log - Deny the requests and log an event
- Deny No Log - Deny the requests and do not log an event
- Specify whether to generate a Threat PCAP file if the IDS/IPS Profile detects malicious activity
Rule Sets¶
Tech Notes
At least one Ruleset from a Rules library (Talos, Custom) is required to be specified in the IDS/IPS Profile.
If Talos Rules and Custom Rules Rulesets are used, at least one of the two must be enabled.
If the desire is to disable the entire IDS/IPS Profile, remove the IDS/IPS Profile from any Policy Ruleset Rules so the IDS/IPS Profile will not be evaluated.
Talos Rules¶
- Specify Disabled, Manual or Automatic*
- Disabled - Specify whether to disable the use of Talos Rules (see Tech Notes above)
- Manual - Specify the Talos Rules Version to use
- Automatic - Specify the number of days from publish date to delay automatic update to the latest Talos Rules version
- Add specific Talos Rules Rulesets to the IDS/IPS Profile
Custom Rules¶
- Specify Disabled, Manual or Automatic*
- Disabled - Specify whether to disable the use of Custom Rules (see Tech Notes above)
- Manual - Specify the Custom Rules Version to use
- Automatic - Specify the number of days from publish date to delay automatic update to the latest Custom Rules version
- Add specific Custom Rules Rulesets to the IDS/IPS Profile
Advanced Settings¶
Rule Suppression¶
Rules can be suppressed for a specific IP or a list of CIDRs
- Click Advanced Settings tab
- Under Rule Suppression click Add
- For Source IP/CIDR List, provide a comma-separated list of IPs or CIDRs
- For Rule ID List, provide a comma-separated list of Rule IDs
- For Action, provide a selection, but this selection does not apply since a Rule being Suppressed will not be evaluated
Event Filtering¶
To reduce the number of security Events that are generated when the IDS/IPS Profile is triggered, the Event Filtering can be configured to rate limit or sample the Events. The configuration does not alter the detection or protection behavior.
When specifying Type as Rate, the generated Events are rate limited based on the specified Number of Events triggered over a Time evaluation interval (in seconds). For example, if Number of Events is specified as 50 and Time is specified as 5 seconds, only 10 Events per second will be generated.
When specifying Type as Sample, the generated Events are sampled based on the specified Number of Events. For example, if Number of Events is specified as 10, only 1 Event will be generated for every 10 Events triggered.
Profile Event Filtering¶
Profile Event Filtering applies to all Rules that are configured in the IDS/IPS Profile
- Specify the Type as Rate or Sample
- Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
- Sample - Specify the Number of Events
Rule Event Filtering¶
Rule Event Filtering applies to specific Rules that are configured in the IDS/IPS Profile
- Click Add under Rule Event Filtering
- For Rule ID List, specify a comma-separated list of Rule IDs
- Specify Type as Rate or Sample
- Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
- Sample - Specify the Number of Events
Associate the Profile¶
Check this document to create/edit rules