View by inspection profile

Selecting the configuration profile

You can configure up to 10 profiles, bearing by default the names “IPS_00”, “IPS_01” etc. These names cannot be modified in the Alarms module but in the menu Application protection\Inspection profile (Go to profiles button):

Select a configuration from the drop-down list.

Click on “Edit” and select “Rename”.

Change the name of the profile in the field and add a comment if necessary.

n4 Click on “Update”.

You will see your modified profile in the drop-down list of configurations in the Applications and Protections module.

Selecting multiple objects

A multiple selection allows assigning the same action to several alarms. Select several successive alarms using the Shift ñkey or individually by holding down the Ctrl key. You can also remove an item from an existing selection with the Ctrl key.

Some column titles have the icon . When you click on it, a menu appears and suggests assigning a setting to several selected alarms (Action, Level, New and Advanced).

Example: Several lines can be deleted at the same time by selecting them with the Ctrl key held down, then by clicking on Delete.

 

You can perform several actions in the profile:

Applying a model

Several templates allow configuring the profile of alarms by defining their action (Allow or Block) and their level (Ignore, Minor or Major).

The templates LOW, MEDIUM and HIGH are distinguished essentially by the action of the Protections alarms, such as alarms relating to peer-to-peer networks or instant messaging. By default, Applications alarms allow traffic and Malware alarms block it.

The INTERNET template disables alarms that may hinder the typical use of the internet, usually due to bad practices that are too common to be prohibited. An example of this is an alarm raised when there is a URL containing non-ASCII characters.

By default, the profile (1) IPS_ 01 is based on the INTERNET template, since it is intended for traffic with a source address that is part of a protected network (see Inspection profiles). Other profiles are configured based on the MEDIUM template that ensures a standard level of security.

Internet

This configuration is adapted to outgoing traffic. Most alarms are configured with the action “Allow” when they do not pose a risk to the internal network.

Low

The least critical alarms are configured with the action “Allow”.

MEDIUM

This template is a compromise between security and excessively strict blocking; it is applied by default to incoming traffic.

HIGH

Most alarms are set to “Block”.

New alarms

Approve new alarms

If this option is selected, all new alarms represented by the icon will be accepted. This allows validating the action and alarm level set by default.

Selection

There are some buttons that allow you to sort the alarms of the inspection profile. These alarms fall under 3 categories: Applications, Protections and Malware. They can be selected by clicking on either of the 3 buttons with the same name. The button All resets the selection.

Applications

This type of alarm is raised when commonly used applications are used. Selecting this makes it possible to prepare an application security policy.

Protection

These alarms are raised by the ASQ scan: they result from blocked known attacks and the abnormal use of protocols as defined in the RFCs.

Malware

These alarms are based on the known signatures of malicious programs, recognized by suspicious types of activity. The examination of hosts at the source of this alarm category is recommended.

Search

This field allows displaying only the alarm(s) containing the letter or word entered. Search results appear instantaneously, in order to filter profiles and contexts more easily, without the need to press “Enter”.

Filter

This list contains several protocols and services covered by the alarms. You can sort them and display only the alarms that belong to the following categories:

None

All categories of alarms will be displayed.

BYOD

Traffic generated by mobile devices such as telephones or electronic tablets in bring your own device programs.

Cloud Storage

Applications that offer online data hosting.

E-mail address:

Online messaging applications.

Game

Online gaming applications.

Communication

Instant messaging, VoIP or videoconference (Skype, Google talk etc.) applications.

Multimedia

Image, video or online music site.

Peer to peer

Direct file sharing between users.

Remote access

Remote PC control.

Social networks

Online community sites.

Web

Other applications.

This list may be modified by updating it via Active Update.

The various columns

To display the columns Signatures, Model and Application profile, click on the arrow that appears when the mouse is rolled over the title of a column and click on the corresponding checkboxes available in the Columns menu.

Patterns

Number of variants of the attack or the traffic blocked by the signature that raised the alarm.

Model

Model applied to the inspection profile that configures alarms by setting their action and level. Please refer to the previous section Applying a model.

Message

Text describing the alarm and its characteristics.

When an alarm is selected, a Help button will appear. This link will open a help window describing the alarm and summarizing its action and level.
Application profile

Application profile containing the alarm configured in this inspection profile.

Action

When an alarm is raised, the packet that set off the alarm will be subject to the action configured. You can choose to Allow or Block traffic that causes this alarm.

Level

Three alarm levels are available: "Ignore", "Minor" and "Major".

New

Allows viewing new alarms, represented by the icon .

Context: id

Alarm name.

The icon represents alarms deemed sensitive.  Refer to the paragraph below for further information.

Advanced

Send an e-mail: an e-mail will be sent when this alarm is raised (cf. module E-mail alerts) with the following conditions:

  • Number of alarms before sending: minimum number of alarms required before an e-mail is sent, during the period defined hereafter.
  • During the period of (seconds): period in seconds during which alarms have been raised, before an e-mail is sent.

 

Place the machine under quarantine: the packet that caused the alarm will be blocked with the following parameters. To remove a packet from quarantine, use Stormshield Network Realtime Monitor.

  • for a period of (minutes): duration of the quarantine

 

Capture the packet that raised the alarm: this capture can be viewed when checking alarms (Stormshield Network Realtime Manager or Unified Reporter), using a network sniffer such as Wireshark.

 

Qos applied to traffic: QoS queues can now be applied to any application traffic that generates alarms. This option therefore allows assigning a bandwidth restriction or lower priority to traffic that caused the alarm to be raised.

Next, click on Apply.

For each of the 10 profiles, you can configure them any way you wish by modifying the parameters described above.

Sensitive alarm

The action Allow on an alarm stops the protocol scan on the traffic. You are therefore strongly advised to dedicate a filter rule in Firewall mode (or IDS for logs) for traffic affected by the alarm instead of setting to 'Allow' for this type of alarm.

 

Example of an HTTP 47 sensitive alarm

Microsoft IIS (Internet Information Server) allows managing the application server by using Microsoft technologies. The management of web servers offers the encoding of extended characters using Microsoft’s proprietary "%uXXXX" format. Since this encoding is not a standard, intrusion detection systems cannot detect attacks that use this method.

When a user attempts to access a site with a URL containing this type of encoded character and not corresponding to any valid character, the HTTP 47 alarm will be raised – Invalid %u encoding char in URL. As this alarm is considered sensitive, access to the site will be blocked.

The Allow action applied to an alarm that blocks traffic stops the protocol scan of this connection (including requests that follow).

In order to maintain protection from this type of attack and simultaneously allow access to this type of server, it is recommended that you dedicate a filter rule in Firewall mode (or IDS for logs) to the affected traffic instead of allowing traffic blocked by a sensitive alarm to Allow. As a reminder, Firewall and IDS modes allow all types of traffic that raise alarms (with detection for IDS mode).