Rules

Overview


Figure 1. Example IDS Profile Rules Page

The IDS Profile Rules page (Fig. 1) allows you to manage IDS Rule Source Subscriptions and IDS Rule enforcement for the selected IDS Profile.

Subscriptions

The Subscriptions tab (Fig. 1) displays the selected company’s list of available IDS Rule Sources and the subscription settings for the selected IDS Profile.

View Rule Source Subscriptions


Figure 2. Example Rule Source Subscriptions List

The Rule Source Subscriptions list (Fig. 2) displays the current subscription settings for the selected IDS Profile and allows you to make changes.

Filters

Keyword

Enter search terms to match in text columns.

Columns

  • Source – name of the IDS Rule Source
  • Last Modified – time since last rule data update applied
  • Last Checked – time since last check for rule data update
  • Version – version of the rule data
  • Rules – number of rules in the rule data
  • Filesize – file size of the rule data, typically in Kilobytes (KB)
  • Default Action – default action to take when a match is detected for a rule in the rule data; when subscribed to the rule source this is an active dropdown for setting the value
  • Subscribed – toggle button for subscribing to or unsubscribing from the rule source

Actions

Subscribe/Unsubscribe

To subscribe to a rule source, click its gray toggle button in the Subscribed column. This will enable the Default Action dropdown for the rule source (see below).

To unsubscribe from a rule source, click its blue toggle button in the Subscribed column. This will display “alert” as the Default Action for the rule source; however, no alerts will be sent for unsubscribed rules.

Set Default Action

After subscribing to a rule source, you can set a Default Action for it. Choose among the following options: “Auto,” “Alert,” “Drop,” and “Pass.” Your selection is saved automatically.

  • Auto – allow the IDS/IPS service to choose the action to take when a match is detected
  • Alert – send alerts when a match is detected, but allow the connection/packets to continue normally
  • Drop – drop the connection/packets when a match is detected
  • Pass – allow the connection/packets to continue normally when a match is detected, i.e. take no action

Use recommended subscriptions


Figure 3. “Recommended Subscriptions” Button

Click the “Use Recommended Subscriptions” button below the list (Fig. 3) to use the recommended subscription settings provided by Mako Networks for the available IDS Rule Sources. You will be asked to confirm this action. Click the “OK” button if you are certain that you want to discard any custom settings and reset to the default settings. This will reset all IDS Rule Sources AND all IDS Rules within those sources to the default settings.

Rules


Figure 4. Example Rules Tab

The Rules list on the Rules tab (Fig. 4) allows you to view all rules included in the IDS Rule Sources to which the selected IDS Profile is subscribed and to manage settings for each rule.

View Rules


FIgure 5. Example Rules List with Loading Rules Message

If there are many rules to display in the Rules list, you may see a message above the list indicating that the rules are still loading (Fig. 5). After the list has completed loading, this message will go away.

The Rules list displays all rules included in the IDS Rule Sources to which the selected IDS Profile is subscribed and allows you to make changes to settings for each rule that will supersede the default settings specified for the IDS Rule Source containing the rule.

Filters

Keyword

Enter search terms to match in text columns.

Columns

  • [Edit] – edit button
  • GID – group ID of this rule’s rule source; unique identifier for this rule’s rule source
  • SID – security ID of this rule; unique identifier for this rule
  • Action – action to take when a match is detected for this rule
  • Enabled – enabled/disabled status of this rule
  • Source – name of rule source containing this rule
  • Classification – IDS rule type of this rule
  • Message – descriptive name for this rule

Actions

Edit Rule


Figure 6. Example Edit IDS Rule Form

To edit an existing IDS Rule, click its gear icon button. This will open the Edit IDS Rule form (Fig. 6) in a new window. Make any desired changes, then click the “Save” button.

SID

Displays the unique identifier for this rule.

Revision

Displays the revision number for this rule.

Message

Displays the descriptive name for this rule.

State

Choose either “Enabled” or “Disabled” to specify whether or not this IDS Rule should be enforced for the selected IDS Profile. The IDS Profile must be subscribed to the IDS Rule Source and the IDS Rule must be set to “Enabled” for the rule to be enforced.

Source

Displays the name of the rule source for this rule.

Classification

Displays the IDS rule type of this rule.

Action

Choose among the following options: “Alert,” “Drop,” and “Pass.”

  • Alert – send alerts when a match is detected, but allow the connection/packets to continue normally
  • Drop – drop the connection/packets when a match is detected
  • Pass – allow the connection/packets to continue normally when a match is detected, i.e. take no action

The Action selected here supersedes the default value set for this rule’s IDS Rule Source.

References

Displays an external link to additional information regarding this rule.

Flowbits

Displays the status of the Flowbits plugin for this rule.

Rule

Displays the proper syntax for this rule.

Save Button

Click the “Save” button to save any changes made here.

Previous : Setup
Events : Next
Was this post helpful?
Please let us know if this helped you find answers.
Yes
No