Follow

Optimizing The Intrusion Prevention System

Versions 3.0 & 5.0 & 6.0

Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0, 4i Edge 5.0, UTM 6.0, 4i Edge 6.0
Last Update: 21 November 2020

This configuration guide will illustrate how to optimize the IPS engine of the Endian appliance.

Scope: Depending on the infrastructure used, it is important to have an optimized IPS engine so that the resources used are allocated correctly, thus improving the performance, speed and response times of Endian systems within a network.

The first step is to enable, update and configure the IPS engine by clicking the gray button (turned to green when enabled). For details please click How To Enable & Configure The IPS. After this, all the rules are enabled by default and need to be optimized.

 

mceclip0.png

 

The second step is to identify the components of your infrastructure and define a set of recommended rules to be activated (enabled) and optimized according to your needs, then click on the Apply button. For example:

 

mceclip1.png

 

The rules which must be enabled have been classified according to the infrastructure and services which is used and they are structured as follows:

Note

The bold rules and default rules in each section are recommended to be enabled as described in the second step of this article based on the infrastructure that is used.

 

Default security level

For small and medium infrastructure which contain less sensitive and confidential data and information. This is our recommendation for the IPS default security level ruleset:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules

 

Additional rules

For small and medium infrastructure which contain less sensitive and confidential data and information:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-icmp_info.rules
auto/emerging-inappropriate.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-misc.rules
auto/emerging-telnet.rules
auto/emerging-tor.rules

 

ActiveX plugin

The infrastructure uses ActiveX plugin in browsers:

auto/3coresec.rules
auto/emerging-activex.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules

Sensitive or confidential data. ISO27001 requirements

To be enabled for medium and large infrastructure which contain sensitive and confidential data and information:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-botcc.portgrouped.rules
auto/emerging-botcc.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-policy.rules
auto/emerging-scan.rules
auto/emerging-shellcode.rules
auto/emerging-trojan.rules
auto/emerging-worm.rules

Chats

To be enabled for an infrastructure in which Chats are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-chat.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules

Temporary security events

To be enabled for medium and large infrastructures that contain sensitive and confidential data or information when a temporary security event occurred:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-current_events.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules

Web applications and exposed services. ISO27001 requirements

For an infrastructure contain webservers, web applications and other services public exposed to the internet:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-botcc.portgrouped.rules
auto/emerging-botcc.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-exploit.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-policy.rules
auto/emerging-scan.rules
auto/emerging-shellcode.rules
auto/emerging-trojan.rules
auto/emerging-user_agents.rules
auto/emerging-web_client.rules
auto/emerging-web_server.rules
auto/emerging-web_specific_apps.rules
auto/emerging-worm.rules

FTP / TFTP services

To be enabled for an infrastructure in which FTP / TFTP services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-ftp.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-tftp.rules

Gaming activities

To be enabled for an infrastructure in which Gaming activities are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-games.rules
auto/emerging-info.rules
auto/emerging-malware.rules

IMAP protocol. ISO27001 requirements

For an infrastructure in
which IMAP protocol and email services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-imap.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-smtp.rules

Mobile devices. ISO27001 requirements

To be enabled for an infrastructure in which Mobile devices are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-mobile_malware.rules

Netbios protocol

For for an infrastructure in
which Netbios protocol are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-netbios.rules

User activities. ISO27001 requirements

Rulesets that will be enabled for an infrastructure in which user activities inside the organizations should be monitored and blocked (eg. Torrents):

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-botcc.portgrouped.rules
auto/emerging-botcc.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-p2p.rules
auto/emerging-policy.rules
auto/emerging-scan.rules
auto/emerging-shellcode.rules
auto/emerging-trojan.rules
auto/emerging-worm.rules

POP3 protocol

For an infrastructure in
which POP3 protocol and email services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-pop3.rules
auto/emerging-smtp.rules

RPC protocol

To be enabled for an infrastructure in which RPC protocol are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-rpc.rules

SCADA protocol

To be enabled for an infrastructure in which SCADA protocol are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-scada.rules

SMTP protocol. ISO27001 requirements

Rulesets that will be enabled for an infrastructure in
which SMTP protocol and email services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-imap.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-pop3.rules
auto/emerging-smtp.rules

SNMP protocol

To be enabled for an infrastructure in which SNMP protocol are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-snmp.rules

SQL services

To be enabled for an infrastructure in which SQL services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-sql.rules

VOIP services

Rulesets that will be enabled for an infrastructure in
which VOIP services are used:

auto/3coresec.rules
auto/emerging-attack_response.rules
auto/emerging-ciarmy.rules
auto/emerging-compromised.rules
auto/emerging-dns.rules
auto/emerging-dos.rules
auto/emerging-drop.rules
auto/emerging-dshield.rules
auto/emerging-info.rules
auto/emerging-malware.rules
auto/emerging-voip.rules

Have more questions? Submit a request

Comments

  • Avatar
    Joerg Sievers

    RFE (requested feature enhancement): It is not possible to scan just the number under Services > Intrusion Prevention > Rules, so you need to extract it, e.g. from the console (what I did) with

    grep -rnw '/var/signatures/snort' -e '2012647'

    to find that the rule is in 'emerging-policy.rules' and there I can disable it.

    Would it not better that the web admin interface could scan it for me? I think it is :)