Define an intrusion prevention rule for use in policies

While firewall policies examine the network and transport layers of a packet (IP, TCP, and UDP, for example), intrusion prevention system (IPS) rules examine payload in the session and application layers of the packet (such as DNS, HTTP, SSL, and SMTP), as well as the sequence of those packets according to those higher-layer protocols. Deep Security Agents scan traffic using IPS rules when you enable and configure IPS with rules. When traffic meets IPS rule match conditions, the agent handles it as a possible or confirmed attack, and performs the action that you have configured: either replacing specifically defined or suspicious byte sequences, to completely dropping packets or resetting the connection.

CPU usage and RAM usage varies by your IPS configuration. To optimize IPS performance on Deep Security Agent, see Performance tips for IPS.

Intrusion Prevention Rule icons:

  • Normal Intrusion Prevention Rules
  • Intrusion Prevention Rules that operate according to a schedule
  • Intrusion Prevention Rules that have configuration options
  • Intrusion Prevention Rules must be configured before use

The Intrusion Prevention Rules page lets you create and manage Intrusion Prevention Rules. From the toolbar or the right-click shortcut menu you can:

  • Create New Intrusion Prevention Rules from scratch ()
  • Import () Intrusion Prevention Rules from an XML file (located under the New menu.)
  • Examine or modify the Properties of an existing Intrusion Prevention Rule ()
  • Duplicate (and then modify) existing Intrusion Prevention Rules ()
  • Delete an Intrusion Prevention Rule ()
  • Export () one or more Intrusion Prevention Rules to an XML or CSV file. (Either export them all using the Export button, or choose from the list to export only those that are selected or displayed.)
  • Add/Remove Columns () columns can be added or removed by clicking Add/Remove Columns. The order in which the columns are displayed can be controlled by dragging them into their new position. Listed items can be sorted and searched by the contents of any column.

Clicking New () or Properties () displays the Intrusion Prevention Rule Properties window.

Note the Configuration tab. Intrusion Prevention Rules from Trend Micro are not directly editable through Deep Security Manager. Instead, if the Intrusion Prevention Rule requires (or allows) configuration, those configuration options will be available on the Configuration tab. Custom Intrusion Prevention Rules that you write yourself will be editable, in which case the Rules tab will be visible.

General Information

  • Name: The name of the Intrusion Prevention Rule.
  • Description: The description of the Intrusion Prevention Rule.
  • Minimum Agent/Appliance Version: The minimum version of the Deep Security Agent/Appliance required to implement this Intrusion Prevention Rule.

Details

  • Application Type: The Application Type this Intrusion Prevention Rule will be grouped under. You can select an existing type, or create a new one.
    You can also edit existing types from this panel. Remember that if you edit an existing Application Type from here, the changes will be applied to all security elements making use of it.
  • Priority: The priority level of the Intrusion Prevention Rule. Higher priority rules are applied before lower priority rules.
  • Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of Intrusion Prevention Rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. (See Administration > System Settings > Ranking.)
  • CVSS Score: A measure of the severity of the vulnerability according the National Vulnerability Database.
  • Detect Only: Use this checkbox when testing new rules. By checking this box, the rule will create a log entry prefaced with the words "detect only:" but will not interfere with traffic. If you set the "disable logging" checkbox in the next panel (below), the rule's activity will not be logged regardless of whether "Detect Only" is checked or not.
    Some Intrusion Prevention Rules are designed to only operate in "Detect Only" mode and cannot be configured to block traffic. For these rules, the "Detect Only" option will be set and locked so it cannot be changed.

Events

  • Disable Event Logging: Check to disable event logging.
    • Generate Event on Packet Drop: Log when Deep Security drops / blocks a packet because it detected an attack.
    • Always Include Packet Data: Include the packet data with the log entry. This can be useful during forensic analysis and when troubleshooting false positives.
    • Enable Debug Mode: Log multiple packets before and after the packet that triggered the rule. Because this decreases performance while it is enabled, Trend Micro recommends that you enable this option only if your support provider asks.
Deep Security can display X-Forwarded-For headers in Intrusion Prevention events when they are available in the packet data. This information can be useful when the Deep Security Agent is behind a load balancer or proxy. When X-Forwarded-For header data is available, it is displayed in the Event's Properties window. To enable this feature, the "Always Include Packet Data" option must be selected. In addition, rule 1006540 "Enable X-Forwarded-For HTTP Header Logging" must be enabled.

Identification (Displayed for Trend Micro rules only)

  • Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist).
  • Issued: The date the Rule was released (not downloaded).
  • Last Updated: The last time the Rule was modified either locally or during Security Update download.
  • Identifier: The rule's unique identifier tag.

Vulnerability (Displayed for Trend Micro rules only)

Displays information about this particular vulnerability. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. (For information on this scoring system, see the CVSS page at the National Vulnerability Database.)

Configuration (Displayed for Trend Micro rules only)

  • Configuration Options: If the downloaded rule has any configurable options, they will be displayed here. Examples of options might be header length, allowed extensions for http, cookie length, etc. If you apply a rule without setting a required option, an Alert will be triggered telling you which rule on which computer(s) requires configuration. (This also applies to any rules that are downloaded and automatically applied by way of a Security Update.)
Intrusion Prevention Rules that have configuration options are displayed in the Intrusion Prevention Rules page with a small gear over their icon .

View Rules (Available for custom Intrusion Prevention Rules only)

The View Rules button will be available for Intrusion Prevention Rules that have not been marked confidential by Trend Micro. (Contact Trend Micro for information on writing your own Intrusion Prevention Rules.)

Alert

Select whether or not this Intrusion Prevention Rule should trigger an Alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the list.

Schedule

Select whether the Intrusion Prevention Rule should only be active during a scheduled time.

Intrusion Prevention Rules that are active only at scheduled times are displayed in the Intrusion Prevention Rules page with a small clock over their icon .
With Agent-based protection, schedules use the same time zone as the endpoint operating system. With Agentless protection, schedules use the same time zone as the Deep Security Virtual Appliance. Agentless protection is not available with Deep Security as a Service.

Context

Contexts are a powerful way of implementing different security policies depending on the computer's network environment. You will most often use Contexts to create Policies which apply different Firewall and Intrusion Prevention Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office.

Contexts are designed to be associated with Firewall and Intrusion Prevention Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied.

To determine a computer's location, Contexts examine the nature of the computer's connection to its domain controller. For more information on Contexts, see Policies > Common Objects > Other > Contexts.

Recommendation Options

Use this option to exclude this Intrusion Prevention Rule from Rule recommendations made after Recommendation Scans.

Assigned To

This tab displays the list of computers and Policies to which this Intrusion Prevention Rule is assigned.