Deep Security 11.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Configure intrusion prevention rules
Perform the following tasks to configure and work with intrusion prevention rules:
- See the list of intrusion prevention rules
- See information about an intrusion prevention rule
- See information about the associated vulnerability (Trend Micro rules only)
- Assign and unassign rules
- Automatically assign updated required rules
- Configure event logging for rules
- Generate alerts
- Setting configuration options (Trend Micro rules only)
- Schedule active times
- Exclude from recommendations
- Set the context for a rule
- Override the behavior mode for a rule
- Override rule and application type configurations
- Export and import rules
- Configure an SQL injection prevention rule
For an overview of the intrusion prevention module, see Block exploit attempts using intrusion prevention.
See the list of intrusion prevention rules
The Policies page provides a list of intrusion prevention rules. You can search for intrusion prevention rules, and open and edit rule properties. In the list, rules are grouped by application type, and some rule properties appear in different columns.
The "TippingPoint" column contains the equivalent Trend Micro TippingPoint rule ID. In the Advanced Search for intrusion prevention, you can search on the TippingPoint rule ID. You can also see the TippingPoint rule ID in the list of assigned intrusion prevention rules in the policy and computer editor.
To see the list, click Policies, and then below Common Objects/Rules click Intrusion Prevention Rules.
See information about an intrusion prevention rule
The properties of intrusion prevention rules include information about the rule and the exploit against which it protects.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
General Information
- Name: The name of the intrusion prevention rule.
- Description: The description of the intrusion prevention rule.
- Minimum Agent/Appliance Version: The minimum version of the Deep Security Agent or ApplianceThe Deep Securty Agent and Deep Security Virtual Appliance are the components that enforce the Deep Security policies that you have defined. Agents are deployed directly on a computer. Appliances are used in VMware vSphere environments to provide agentless protection. They are not available with Deep Security as a Service. required to support this intrusion prevention rule.
Details
Clicking New () or Properties () displays the Intrusion Prevention Rule Properties window.
See the list of intrusion prevention rules
The Policies page provides a list of intrusion prevention rules. You can search for intrusion prevention rules, and open and edit rule properties. In the list, rules are grouped by application type, and some rule properties appear in different columns.
The "TippingPoint" column contains the equivalent Trend Micro TippingPoint rule ID. In the Advanced Search for intrusion prevention, you can search on the TippingPoint rule ID. You can also see the TippingPoint rule ID in the list of assigned intrusion prevention rules in the policy and computer editor.
To see the list, click Policies, and then below Common Objects/Rules click Intrusion Prevention Rules.
General Information
- Application Type: The application type under which this intrusion prevention rule is grouped.
You can edit application types from this panel. When you edit an application type from here, the changes are applied to all security elements that use it.
- Priority: The priority level of the rule. Higher priority rules are applied before lower priority rules.
- Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of intrusion prevention rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. (See Administration > System Settings > Ranking.)
- CVSS Score: A measure of the severity of the vulnerability according the National Vulnerability Database.
Identification (Trend Micro rules only)
- Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist).
- Issued: The date the rule was released. This does not indicate when the rule was downloaded.
- Last Updated: The last time the rule was modified either locally or during Security Update download.
- Identifier: The rule's unique identification tag.
See information about the associated vulnerability (Trend Micro rules only)
Rules that Trend Micro provides can include information about the vulnerability against which the rule protects. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. (For information on this scoring system, see the CVSS page at the National Vulnerability Database.)
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Vulnerabilities tab.
Assign and unassign rules
To apply intrusion prevention rules during agent scans, you assign them to the appropriate policies and computers. When the rule is no longer necessary because the vulnerability has been patched you can unassign the rule.
If you cannot unassign intrusion prevention rules from a Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., it is likely because the rules are currently assigned in a policy. Rules assigned at the policy level must be removed using the Policy editorTo open the Policy editor, go to the Policies page and double-click the policy that you want to edit (or select the policy and click Details). and cannot be removed at the computer level.
When you make a change to a policy, it affects all computers using the policy. For example, when you unassign a rule from a policy you remove the rule from all computers that are protected by that policy. To continue to apply the rule to other computers, create a new policy for that group of computers. (See Policies, inheritance, and overrides.)
To see the policies and computers to which a rule is assigned, see the Assigned To tab of the rule properties.
- Go to the Policies page, right-click the policy to configure and click Details.
- Click Intrusion Prevention > General.
The list of rules that are assigned to the policy appear in the Assigned Intrusion Prevention Rules list. - Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
- To assign a rule, select the check box next to the rule.
- To unassign a rule, deselect the check box next to the rule.
- Click OK.
Automatically assign updated required rules
Security updates can include new or updated application types and intrusion prevention rules which require the assignment of secondary intrusion prevention rules. Deep Security can automatically assign these rules if they are required. You enable these automatic assignments in the the policy or computer properties.
- Go to the Policies page, right-click the policy to configure and click Details.
- Click Intrusion Prevention > Advanced.
- To enable the automatic assignments, in the Rule Updates area, select Yes.
- Click OK.
Configure event logging for rules
Configure whether events are logged for a rule, and whether to include packet data in the log.
Because it would be impractical to record all packet data every time a rule triggers an event, Deep Security records the data only the first time the event occurs within a specified period of time. The default time is five minutes, however you can change the time period using the "Period for Log only one packet within period" property of a policy's Advanced Network Engine settings. (See Advanced Network Engine Options.)
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- On the General tab, go to the Events area and select the desired options:
- To disable logging for the rule, select Disable Event Logging.
- To log an event when a packet is dropped or blocked, select Generate Event on Packet Drop.
- To include the packet data in the log entry, select Always Include Packet Data.
- To log several packets that precede and follow the packet that the rule detected, select Enable Debug Mode.Use debug mode only when your support provider instructs you to do so.
Additionally, to include packet data in the log, the policy to which the rule is assigned must allow rules to capture packet data:
- On the Policies page, open the policy that is assigned the rule.
- Click Intrusion Prevention > Advanced.
- In the Event Data area, select Yes.
Generate alerts
Generate an alert when an intrusion prevention rule triggers an event.
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Options tab, and in the Alert area select On.
- Click OK.
Setting configuration options (Trend Micro rules only)
Some intrusion prevention rules that Trend Micro provides have one or more configuration options such as header length, allowed extensions for HTTP, or cookie length. Some options require you to configure them. If you assign a rule without setting a required option, an alert is generated that informs you about the required option. (This also applies to any rules that are downloaded and automatically applied by way of a Security Update.)
Intrusion prevention rules that have configuration options appear in the Intrusion Prevention Rules list with a small gear over their icon .
Custom intrusion prevention rules that you write yourself include a Rules tab where you can edit the rules.
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Configuration tab.
- Configure the properties and then click OK.
Schedule active times
Schedule a time during which an intrusion prevention rule is active. Intrusion prevention rules that are active only at scheduled times appear in the Intrusion Prevention Rules page with a small clock over their icon .
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Options tab.
- In the Schedule area, select New or select a frequency.
- Edit the schedule as required.
- Click OK.
Exclude from recommendations
Exclude intrusion prevention rules from rule recommendations of recommendation scans.
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Optionstab.
- In the Recommendations Options area, select Exclude from Recommendations.
- Click OK.
Set the context for a rule
Set the context in which the rule is applied.
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Click the Options tab.
- In the Context area, select New or select a context.
- Edit the context as required.
- Click OK.
Override the behavior mode for a rule
Set the behavior mode of an intrusion prevention rule to Detect when testing new rules. In Detect mode, the rule creates a log entry prefaced with the words "detect only:" and does not interfere with traffic. Some intrusion prevention rules are designed to operate only in Detect mode. For these rules, you cannot change the behavior mode.
If you disable logging for the rule, the rule activity is not logged regardless of the behavior mode.
For more information about behavior modes, see Use behavior modes to test rules.
The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.
- Click Policies > Intrusion Prevention Rules.
- Select a rule and click Properties.
- Select Detect Only.
Override rule and application type configurations
From a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). , you can edit an intrusion prevention rule so that your changes apply only in the context of the policy or computer. You can also edit the rule so that the changes apply globally so that the changes affect other policies and computers that are assigned the rule. Similarly, you can configure application types for a single policy or computer, or globally.
- Go to the Policies page, right-click the policy to configure and click Details.
- Click Intrusion Prevention.
- To edit a rule, right-click the rule and select one of the following commands:
- Properties: Edit the rule only for the policy.
- Properties (Global): Edit the rule globally, for all policies and computers.
- To edit the application type of a rule, right-click the rule and select one of the following commands:
- Application Type Properties: Edit the application type only for the policy.
- Application Type Properties (Global): Edit the application type globally, for all policies and computers.
- Click OK.
When you select the rule and click Properties, you are editing the rule only for the policy that you are editing.
Export and import rules
You can export one or more intrusion prevention rules to an XML or CSV file, and import rules from an XML file.
- Click Policies > Intrusion Prevention Rules.
- To export one or more rules, select them and click Export > Export Selected to CSV or Export > Export Selected to XML.
- To export all rules, click Export > Export to CSV or Export > Export to XML.
- To import rules, click New > Import From File and follow the instructions on the wizard.