Requirements

Assuming that we have an IDS correctly registered in redborder Live or in a cluster. Furthermore, the IDS will be receiving traffic from at least one segment.

Creating Rules

In this HOWTO, it will demonstrate how to create a rule and assign it to the IDS/ IPS that you have registered. It is worth noting that when we have an IDS/IPS installed we will not see traffic in the Intrusion part of the cluster:

 

This is due to the fact that you have not created or applied any rules to the IDS/IPS sensor.

In this HOWTO a rule will be created and applied which will notify the user when a data flow corresponding to the PING command passes through the sensor.

The first thing you must do is verify that you have rules downloaded, activated and updated in the cluster. To do this, you can go to TOOLS -> Rule Versions and ensure that at least one of the boxes is checked. Also, you can force the rule update process by clicking on the Force Rule Update button. This will update the number of useful rules in case one or more new sources have been added:

 

To be sure, you will go to the SENSORS tab, where you can see the IDS sensor that you have installed. You then add a Global Signature policy by clicking on Options -> Global Signature Policies:

 

Next you will click on + New Policy: 

 

You will see a pop-up window where you will fill out a name, you will check the Rule Sources box and click on Create Policy:

 

Now you have a rule set from which to select the actions to be performed:

 

In our case you will click on SERVICES Other Services Rules -> DNS. You will check the DNS box and in Action you will check the alert option.

 

NOTE: If you are using the Community version, there is a limit of a maximum of 3 rules that can be applied.

Screenshot of the Community version of redBorder

 

Once the rule has been selected and the corresponding action applied, then you will go to Options -> Apply Conf.

 

Then, on the screen that appears in the Signature Policies section, you will check Configuration & Signature Set and click the Update button.

 

You will go to Signature Policies again, click on the Assign button and, in the pop-up window that appears, you will click OK: 

 

 

 

Now the rule will appear created in green and you will only have to click on Apply Conf:

 

 

Next, if you go to the IPS tab and if the policy is matched, we will start to see traffic corresponding to the applied rule. An example of the IPS traffic is shown in the next image:

 

 

 

What to do Next?

• How to Create and Connect a Vault Sensor to redBorder
• How to Create and Connect a Flow Sensor to redBorder
• How to Add a Flow Sensor in a Proxy