Network Intrusion (IPS)¶
Network Intrusion profiles are applied to a Security Rule, deep packet inspecting traffic for known and zero-day vulnerability exploits.
The Valtix Network Intrusion engine leverages a TALOS database, the commercially managed version of Snort. Updates to the network intrusion database are available with a threat package subscription.
Create IPS Profile¶
- Navigate to Manage -> Profiles -> Network Threats
- Click Create Intrusion Profile
- Select Network Intrusion
- Provide a name and description
- Click Manual or Automatic mode for Talos Ruleset Version selection
- In Manual mode, select the Talos Ruleset Version from dropdown. The selected ruleset version is used by the Valtix datapath engine on all gateways which use this profile and is not automatically updated to newer ruleset versions.
- In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix. New rulesets are published daily by Valtix and the gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.
- Check the box PCAP if you want the PCAP files for the IPS matched traffic. The pcaps are stored in the PCAP profile associated with the Valtix Gateway
- In the left panel, select a predefined set of rules from Policy, Category and Class Type
- The selected rulesets are added to the Rule Set Details panel on the right side
- You can select a default action for all the rules (defaults to Rule Default from the ruleset). Optionally you can click on the Rule Set and override the action
- You can View rules at the rule set version or at a selected Rule Set level
Add rule event suppression if a certain rule should be whitelisted for a specific list of CIDRs.
- Click Rule Suppression and Add
- Provide a comma separated list of IP CIDRs for which you want to suppress the rules
- Provide a comma separated list of rule IDs
- Select an action
Events can be suppressed at the event generation source for a list of CIDRs, specific rule IDs and we can optionally specify an Action to be taken. When the engine detects packets arriving from the specific CIDRs specified here, the selected rules do not generate any events irrespective of actions chosen in the profile or specified by the policy.
The ability to specify action additionally provides a way to customize the behavior of the specified rules when the rules are engaged as coming from the specific CIDRs. For example, user can specify that packets arriving from 10.100.2.23/32 should be allowed when matching hypothetical rule 12345, whereas the overall profile DROPS the packets when it matches the rule 12345, meaning that all the packets from IPs other than 10.100.2.23 will be dropped if the rule 12345 matches.
If the CIDR is specified as 0.0.0.0/0 in the above example, the behavior is applied to all incoming packets for the rule 12345.
Note: In a future release, the ability to customize the rule action will be separated from Rule Suppression.
Rule Event Filtering¶
Add rule event filtering if a known rule repeats/triggers multiple times.
- Click Add under *Rule Event Filtering
- Add a comma separated list of rule ids
- Choose the type as Rate and provide the Number of Events and Time duration
- Choose the type as Sample and provide the Number of Events
In case the IPS profile configuration generates a lot of events in the datapath, the Event Filtering module allows to filter events after the generation but before storing and making them available in investigate.
The type Rate allows to rate limit the event stream to a specific rate specified as Number of Events per Time Duration. For example, if Number of Events is 50 and Time Duration is 5 seconds, only 10 events per second are stored.
The type Sample allows the user to pick 1 event every Number of Events, dropping all other events. For example, if Number of Events is 10, then we pick 1 event every 10 events and drop the other 9.
Profile Event Filtering¶
Profile event filtering is similar to rule event filtering. In this case the filtering is applied to the whole profile instead of specific rule(s) as configured earlier.
Choose the type as Rate or Sample and provide the Number of Events and the time duration
Associate IPS Profile with a Policy Rule¶
Check this document to create/edit rules