Follow

redborder IDS Rules

Requirements

Assuming that we have an IDS correctly registered in redborder Live or in a cluster. Furthermore, the IDS will be receiving traffic from at least one segment.

Creating Rules

In this HOWTO, we will demonstrate how to create a rule and assign it to the IDS/ IPS that we have registered. It is worth noting that when we have an IDS/ IPS installed we will not see traffic in the IPS part of the cluster:

 

 

This is due to the fact that we have not created or applied any rules to the IDS/ IPS sensor.

In this HOWTO we are going to create and apply a rule which will notify us when a data flow corresponding to the PING command passes through the sensor.

The first thing we must do is verify that we have rules downloaded, activated and updated in the cluster. To do this, we go to TOOLS -> Rule Versions and ensure that at least one of the boxes is checked:

 

 

To be sure, we will go to the SENSORS tab, where we can see the IDS sensor that we have installed. We then add a Global Signature policy by clicking on Options -> Global Signature Policies:

 

 

Next we will click on + New Policy:

 

 

We will see a pop-up window where we will fill out a name, we will check the Rule Sources box and click on Create Policy:

 

 

Now we have a rule set from which to select the actions to be performed:

 

 

In our case we will click on SERVICES Other Services Rules -> ICMP. We will check the ICMP box and in Action we will check the alert option.

 

 

Then we will go to Options -> Apply Conf.

 

 

Then, on the screen that appears in the Signature Policies section, we will check Configuration & Signature Set and click the Update button.

 

 

We will go to Signature Policies again, click on the Assign button and, in the pop-up window that appears, we will click OK: 

 

 

Now the rule will appear created in green and we will only have to click on Apply Conf:

 

 

Next, if we go to the IPS tab and if the policy is matched we will start to see traffic corresponding to the applied rule. An example of the IPS traffic is shown in the next image:

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk