Network Intrusion (IPS)¶
Network Intrusion profiles are applied to a Security Rule, deep packet inspecting traffic for known and zero-day vulnerability exploits.
The Valtix Network Intrusion engine leverages a TALOS database, the commercially managed version of Snort. Updates to the network intrusion database are available with a threat package subscription.
Create IPS Profile¶
- Navigate to Manage -> Profiles -> Network Threats
- Click Create Intrusion Profile
- Select Network Intrusion
- Provide a name and description
- Select the Talos Ruleset Version
- Check the box PCAP if you want the PCAP files for the IPS matched traffic. The pcaps are stored in the PCAP profile associated with the Valtix Gateway
- In the left panel, select a predefined set of rules from Policy, Category and Class Type
- The selected rulesets are added to the Rule Set Details panel on the right side
- You can select a default action for all the rules (defaults to Rule Default from the ruleset). Optionally you can click on the Rule Set and override the action
- You can View rules at the rule set version or at a selected Rule Set level
Rule Event Filtering¶
Add rule event filtering if a known rule repeats/triggers multiple times.
- Click Add under *Rule Event Filtering
- Add a comma separated list of rule ids
- Choose the type as Rate and provide the Number of Events and Time duration
- Choose the type as Sample and provide the Number of Events
TODO: Explain what filtering means clearly
Rules can be suppressed for a specific or a list of CIDRs.
- Click Rule Supression and Add
- Provide a comma separated list of IP CIDRs for which you want to suppress the rules
- Provide a comma separated list of rule ids
- Select an action
TODO: the action looks meaningless for rule suppression
Profile Event Filtering¶
Profile event filtering is similar to rule event filtering. In this case the filtering is applied to the whole profile instead of specific rule(s) as configured earlier.
Choose the type as Rate or Sample and provide the Number of Events and the time duration
Associate IPS Profile with a Policy Rule¶
Check this document to create/edit rules