No announcement yet.

Intrusion Prevention Rules No Longer Customizable

  • Filter
  • Time
  • Show
Clear All
new posts

  • Intrusion Prevention Rules No Longer Customizable

    Intrusion Prevention is configured with predefined rule sets that contain certain types of signature based on the default recommended action (Log, Block, etc.). I cannot edit these rule sets to fit my environment and I get lots of false positives. For instance, I don't use Apple Quicktime, yet a signature is enabled for Apple Quicktime. I don't use any routers with DDWRT configs, yet those are set to block. These are included in the rule set where the default action is block. I get it that these things are set so anyone can get protection out of the box, but it really makes it bad for those who need to customize the signatures for their environment. Why isn't there a setting for basic usage and another setting for advanced usage which allows the security admin to customize the signatures for their specific environment? This used to be the way it was with Intrustion Prevention years ago, but not anymore and it is really frustrating.

  • #2
    There's an Add button at the top left-hand corner to create a new rule:
    Click image for larger version

Name:	image.png
Views:	247
Size:	13.1 KB
ID:	395122

    …or the Copy button along the right-hand side of the Rules tab that will make an editable copy of any of the default rules. You can customize the copy and disable the default if that fits your environment better.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    How can we make Arista ETM products better?


    • #3
      No you cannot edit the rules sets that are there, but you can make your own.
      Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
      Phone: 866-794-8879 x201
      Email: [email protected]


      • #4
        The reason the default rules were made static is updating the rules regularly was nearly impossible trying to determine how to update if the rules were changed. It's better to have regular updates to the rules than the previous model. Like others have said, you can clone the rule and make your edits there.
        Attention: Support and help on the Untangle Forums is provided by
        volunteers and community members like yourself.
        If you need Untangle support please call or email [email protected]


        • #5
          I don't think I explained my issue quite right. So in the signatures tab, each signature belongs to a specific classtype. The rules reference the classtypes and applies the recommended action for the specific rule (enable block, enable log, etc.). For example, the classtype "attempted-admin" currently contains 1644 signatures. Each signature has a recommended action and a rule action. Some signatures, the recommended action and the rule action are disabled. Others, the recommended action is log and the rule action is block. Signatures can have any combination of recommended and rule actions. The rules defined in the rules tab looks at a specific classtype and applies the rule action based on the signature's rule action.

          If I am understanding how it all works, lets say for the sake of argument that traffic on the network matches the signature ET WEB_CLIENT Apple Quicktime RTSP Overflow (1), but I don't have any web browsers in my environment with Apple Quicktime plugin. Since the rule action is blocked and the Recommended action is Log (not disable) and because I have the Critical Priority rule enabled, this traffic will be blocked. The two screenshots below look at the signature I mentioned and the rule in which this signature will be applied if a match occures.

          Click image for larger version

Name:	image.png
Views:	175
Size:	34.6 KB
ID:	395245Click image for larger version

Name:	image.png
Views:	167
Size:	42.3 KB
ID:	395246

          So the question then is since the predefined rules are generic, you are saying that I can disable these rules and write my own and create them more specific to my environment. But what is the best method for ensuring that the rules that will be checked are only those for things I have in my envrionment? The choices for the rule to check specific conditions are shown in the screenshot below:

          Click image for larger version

Name:	image.png
Views:	166
Size:	13.6 KB
ID:	395247
          Making a rule by classtype by the examples shown above would create a generic rule to process anything that matches the specific conditions in the rule. I wouldn't know the signature identifier, but I suppose I could write ones on specific ports used by a device or a protocol, or maybe even the contents of the message contain something that matches a device or software I'm using, or even write a custom signature, which is cool that this is an option.

          I hope this makes sense what I am trying to do. And thank you all for taking the time to read this! ​
          Attached Files


          • #6
            I to have this same question. I get a lot of the false positives and right now the only way I have to get around it is to create rules above 1 by 1 that whitelist the false positive. I was assuming I'd just be able to go in and modify the signature itself rather than creating rules to whitelist the false positives. I can't help but think I'm missing something here.