Configure intrusion prevention rules

Perform the following tasks to configure and work with intrusion prevention rules:

For an overview of the intrusion prevention module, see Block exploit attempts using Intrusion Prevention.

See the list of intrusion prevention rules

The Policies page provides a list of intrusion prevention rules. You can search for intrusion prevention rules, and open and edit rule properties. In the list, rules are grouped by application type, and some rule properties appear in different columns.

The "TippingPoint" column contains the equivalent Trend Micro TippingPoint rule ID. In the Advanced Search for intrusion prevention, you can search on the TippingPoint rule ID. You can also see the TippingPoint rule ID in the list of assigned intrusion prevention rules in the policy and computer editor.

To see the list, click Policies, and then below Common Objects/Rules click Intrusion Prevention Rules.

See information about an intrusion prevention rule

The properties of intrusion prevention rules include information about the rule and the exploit against which it protects.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.

General Information

Details

Clicking New () or Properties () displays the Intrusion Prevention Rule Properties window.

Note the Configuration tab. Intrusion Prevention Rules from Trend Micro are not directly editable through Deep Security Manager. Instead, if the Intrusion Prevention Rule requires (or allows) configuration, those configuration options will be available on the Configuration tab. Custom Intrusion Prevention Rules that you write yourself will be editable, in which case the Rules tab will be visible.

See the list of intrusion prevention rules

The Policies page provides a list of intrusion prevention rules. You can search for intrusion prevention rules, and open and edit rule properties. In the list, rules are grouped by application type, and some rule properties appear in different columns.

The "TippingPoint" column contains the equivalent Trend Micro TippingPoint rule ID. In the Advanced Search for intrusion prevention, you can search on the TippingPoint rule ID. You can also see the TippingPoint rule ID in the list of assigned intrusion prevention rules in the policy and computer editor.

To see the list, click Policies, and then below Common Objects/Rules click Intrusion Prevention Rules.

General Information

  • Application Type: The application type under which this intrusion prevention rule is grouped.
    You can edit application types from this panel. When you edit an application type from here, the changes are applied to all security elements that use it.
  • Priority: The priority level of the rule. Higher priority rules are applied before lower priority rules.
  • Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of intrusion prevention rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. (See Administration > System Settings > Ranking.)
  • CVSS Score: A measure of the severity of the vulnerability according the National Vulnerability Database.

Identification (Trend Micro rules only)

  • Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist).
  • Issued: The date the rule was released. This does not indicate when the rule was downloaded.
  • Last Updated: The last time the rule was modified either locally or during Security Update download.
  • Identifier: The rule's unique identification tag.

See information about the associated vulnerability (Trend Micro rules only)

Rules that Trend Micro provides can include information about the vulnerability against which the rule protects. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. (For information on this scoring system, see the CVSS page at the National Vulnerability Database.)

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Vulnerabilities tab.

Assign and unassign rules

To apply intrusion prevention rules during agent scans, you assign them to the appropriate policies and computers. When the rule is no longer necessary because the vulnerability has been patched you can unassign the rule.

If you cannot unassign intrusion prevention rules from a Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., it is likely because the rules are currently assigned in a policy. Rules assigned at the policy level must be removed using the Policy editorClosedTo open the Policy editor, go to the Policies page and double-click the policy that you want to edit (or select the policy and click Details). and cannot be removed at the computer level.

When you make a change to a policy, it affects all computers using the policy. For example, when you unassign a rule from a policy you remove the rule from all computers that are protected by that policy. To continue to apply the rule to other computers, create a new policy for that group of computers. (See Policies, inheritance, and overrides.)

To see the policies and computers to which a rule is assigned, see the Assigned To tab of the rule properties.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > General.
    The list of rules that are assigned to the policy appear in the Assigned Intrusion Prevention Rules list.
  3. Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
  4. To assign a rule, select the check box next to the rule.
  5. To unassign a rule, deselect the check box next to the rule.
  6. Click OK.

Automatically assign updated required rules

Security updates can include new or updated application types and intrusion prevention rules which require the assignment of secondary intrusion prevention rules. Deep Security can automatically assign these rules if they are required. You enable these automatic assignments in the the policy or computer properties.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > Advanced.
  3. To enable the automatic assignments, in the Rule Updates area, select Yes.
  4. Click OK.

Configure event logging for rules

Configure whether events are logged for a rule, and whether to include packet data in the log.

Deep Security can display X-Forwarded-For headers in intrusion prevention events when they are available in the packet data. This information can be useful when the Deep Security Agent is behind a load balancer or proxy. The X-Forwarded-For header data appears in the event's Properties window. To include the header data, include packet data in the log. In addition, rule 1006540 " Enable X-Forwarded-For HTTP Header Logging" must be assigned.

Because it would be impractical to record all packet data every time a rule triggers an event, Deep Security records the data only the first time the event occurs within a specified period of time. The default time is five minutes, however you can change the time period using the "Period for Log only one packet within period" property of a policy's Advanced Network Engine settings. (See Advanced Network Engine Options.)

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. On the General tab, go to the Events area and select the desired options:
    • To disable logging for the rule, select Disable Event Logging.
    • To log an event when a packet is dropped or blocked, select Generate Event on Packet Drop.
    • To include the packet data in the log entry, select Always Include Packet Data.
    • To log several packets that precede and follow the packet that the rule detected, select Enable Debug Mode.Use debug mode only when your support provider instructs you to do so.

Additionally, to include packet data in the log, the policy to which the rule is assigned must allow rules to capture packet data:

  1. On the Policies page, open the policy that is assigned the rule.
  2. Click Intrusion Prevention > Advanced.
  3. In the Event Data area, select Yes.

Generate alerts

Generate an alert when an intrusion prevention rule triggers an event.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab, and in the Alert area select On.
  4. Click OK.

Setting configuration options (Trend Micro rules only)

Some intrusion prevention rules that Trend Micro provides have one or more configuration options such as header length, allowed extensions for HTTP, or cookie length. Some options require you to configure them. If you assign a rule without setting a required option, an alert is generated that informs you about the required option. (This also applies to any rules that are downloaded and automatically applied by way of a Security Update.)

Intrusion prevention rules that have configuration options appear in the Intrusion Prevention Rules list with a small gear over their icon .

Custom intrusion prevention rules that you write yourself include a Rules tab where you can edit the rules.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Configuration tab.
  4. Configure the properties and then click OK.

Schedule active times

Schedule a time during which an intrusion prevention rule is active. Intrusion prevention rules that are active only at scheduled times appear in the Intrusion Prevention Rules page with a small clock over their icon .

With Agent-based protection, schedules use the same time zone as the endpoint operating system. With Agentless protection, schedules use the same time zone as the Deep Security Virtual Appliance..

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab.
  4. In the Schedule area, select New or select a frequency.
  5. Edit the schedule as required.
  6. Click OK.

Exclude from recommendations

Exclude intrusion prevention rules from rule recommendations of recommendation scans.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Optionstab.
  4. In the Recommendations Options area, select Exclude from Recommendations.
  5. Click OK.

Set the context for a rule

Set the context in which the rule is applied.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab.
  4. In the Context area, select New or select a context.
  5. Edit the context as required.
  6. Click OK.

Override the behavior mode for a rule

Set the behavior mode of an intrusion prevention rule to Detect when testing new rules. In Detect mode, the rule creates a log entry prefaced with the words "detect only:" and does not interfere with traffic. Some intrusion prevention rules are designed to operate only in Detect mode. For these rules, you cannot change the behavior mode.

If you disable logging for the rule, the rule activity is not logged regardless of the behavior mode.

For more information about behavior modes, see Use behavior modes to test rules.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Select Detect Only.

Override rule and application type configurations

From a Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). , you can edit an intrusion prevention rule so that your changes apply only in the context of the policy or computer. You can also edit the rule so that the changes apply globally so that the changes affect other policies and computers that are assigned the rule. Similarly, you can configure application types for a single policy or computer, or globally.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention.
  3. To edit a rule, right-click the rule and select one of the following commands:
    • Properties: Edit the rule only for the policy.
    • Properties (Global): Edit the rule globally, for all policies and computers.
  4. To edit the application type of a rule, right-click the rule and select one of the following commands:
    • Application Type Properties: Edit the application type only for the policy.
    • Application Type Properties (Global): Edit the application type globally, for all policies and computers.
  5. Click OK.

When you select the rule and click Properties, you are editing the rule only for the policy that you are editing.

You cannot assign one port to more than eight application types. If they are, the rules will not function on that port.

Export and import rules

You can export one or more intrusion prevention rules to an XML or CSV file, and import rules from an XML file.

  1. Click Policies > Intrusion Prevention Rules.
  2. To export one or more rules, select them and click Export > Export Selected to CSV or Export > Export Selected to XML.
  3. To export all rules, click Export > Export to CSV or Export > Export to XML.
  4. To import rules, click New > Import From File and follow the instructions on the wizard.