- Creating a Signature Policy
- Add Rules to Create a New Signature Policy
- Assigning the Signature Policies to a Sensor
Once you have "versions" of rules downloaded (from the Tools menu -> Rule's version) you are then in a position to create a new Signature policy.
Creating a Signature Policy
A Signature policy is a subset or selection of rules derived from one or more "versions" of the rules downloaded.
To create a Signature policy go to the Sensor menu where you have registered sensors, and in the sensor options (right icon) select Signature Policies.
In the interface of Signature policy all policies created so far (in this case none) are shown. To create a new policy, click on New policy.
Next, a window will emerge that gives the information of the new policy to create:
- User owner
- Sources of rules
- Versions available
You must choose the source of rules and the same version from which you create the signatures policy (multiple are allowed).
Policy options rules:
- Show only uncommented rules: If you leave this checked, the Snort rules that are discussed by the supplier are omitted. The rules discussed are rules recommended not to be used unless it is in a controlled manner. Usually they’re old rules that detect threats, experimental rules, rules that can have a high impact on resource consumption, etc. (This option is enabled by default).
- Auto resolve dependencies: automatically resolves dependencies between rules. (Default on).
- Add new rules on update: Add new rules automatically when the rules are updated versions. (This option is disabled by default).
- Block updates available: Locks update rules for this policy. (This option is disabled by default).
Add Rules to Create a New Signature Policy
Once you click on Create Policy you will access the edit menu of policies.
Here you will see, according to different categories and subcategory levels, rules can be used to create your policies. In principle, the number of rules you have is 0. In order to create your policy, select the rules or categories of rules that interest you and assign the appropriate action to create (alert, drop, sdrop, ....) . You can use different actions for each rule or set of rules.
Actions available for each rule or set of rules
- Pass: allows the packet to pass and that the actions of the rules that match don’t apply
- Alert: Reports the packet after inspection by Snort.
- Drop: if the packet matches the rule, it freezes and the user is notified.
- Sdrop (Silent Drop): blocks the packet, but the user isn’t notified.
- Clear: Not applicable actions; clean all shares existing on that rule.
You can change the actions directly in the list of rules or categories, or by selecting the rule and pressing the key in the upper right hand Change action.
Once you have changed the actions of the rules that interest you, the total number of rules will increase, as shown in the following screenshot:
Assigning the Signature Policies to a Sensor
You have created your Signature policy and it’s available to assign to an IPS sensor. To do this, select a sensor from the list in the dropdown menu and select the Signature Policies option. By accessing the policy rules’ interface, you can see the new policy that you’ve created.
To assign the policy to the sensor just press the Assign icon. The selected policy shall be labeled in green. Then click on the Apply Conf button on the top menu. The following screen will appear.
On this screen there is a summary of the changes that you will make. If everything is correct click on Update and you'll be applying the new policy to the sensor.
This process can take several minutes, depending on the number of rules to apply. The whole process will be executed with a background job, which we can see in the menu Tools-> Worker and Job Queue.
Once you have completed the assigning process, this sensor will have the policy applied.