Skip to content

Network Intrusion (IPS)

Network Intrusion profiles are applied to a Security Rule, deep packet inspecting traffic for known and zero-day vulnerability exploits.

The Valtix Network Intrusion engine leverages a TALOS database, the commercially managed version of Snort. Updates to the network intrusion database are available with a threat package subscription.

Create IPS Profile

  1. Navigate to Manage -> Profiles -> Network Threats
  2. Click Create Intrusion Profile
  3. Select Network Intrusion
  4. Provide a name and description
  5. Select the Talos Ruleset Version
  6. Check the box PCAP if you want the PCAP files for the IPS matched traffic. The pcaps are stored in the PCAP profile associated with the Valtix Gateway
  7. In the left panel, select a predefined set of rules from Policy, Category and Class Type
  8. The selected rulesets are added to the Rule Set Details panel on the right side
  9. You can select a default action for all the rules (defaults to Rule Default from the ruleset). Optionally you can click on the Rule Set and override the action
  10. You can View rules at the rule set version or at a selected Rule Set level

Rule Event Filtering

Add rule event filtering if a known rule repeats/triggers multiple times.

  1. Click Add under *Rule Event Filtering
  2. Add a comma separated list of rule ids
  3. Choose the type as Rate and provide the Number of Events and Time duration
  4. Choose the type as Sample and provide the Number of Events

TODO: Explain what filtering means clearly

Rule Suppression

Rules can be suppressed for a specific or a list of CIDRs.

  1. Click Rule Supression and Add
  2. Provide a comma separated list of IP CIDRs for which you want to suppress the rules
  3. Provide a comma separated list of rule ids
  4. Select an action

TODO: the action looks meaningless for rule suppression

Profile Event Filtering

Profile event filtering is similar to rule event filtering. In this case the filtering is applied to the whole profile instead of specific rule(s) as configured earlier.

Choose the type as Rate or Sample and provide the Number of Events and the time duration

Associate IPS Profile with a Policy Rule

Check this document to create/edit rules