View by inspection profile
Selecting the configuration profile
You can configure up to 10 profiles, bearing by default the names “IPS_00”, “IPS_01” etc. These names cannot be modified in the Alarms module but in the menu Application protection\Inspection profile (Go to profiles button):
Select a configuration from the drop-down list.
Click on “Edit” and select “Rename”.
Change the name of the profile in the field and add a comment if necessary.
Click on “Update”.
You will see your modified profile in the drop-down list of configurations in the Applications and Protections module.
Selecting multiple objects
A multiple selection allows assigning the same action to several alarms. Select several successive alarms using the Shift ñkey or individually by holding down the Ctrl key. You can also remove an item from an existing selection with the Ctrl key.
Some column titles have the icon . When you click on it, a menu appears and suggests assigning a setting to several selected alarms (Action, Level, New and Advanced).
Example: Several lines can be deleted at the same time by selecting them with the Ctrl key held down, then by clicking on Delete.
You can perform several actions in the profile:
Applying a model
Several templates allow configuring the profile of alarms by defining their action (Allow or Block) and their level (Ignore, Minor or Major).
The templates LOW, MEDIUM and HIGH are distinguished essentially by the action of the Protections alarms, such as alarms relating to peer-to-peer networks or instant messaging. By default, Applications alarms allow traffic and Malware alarms block it.
The INTERNET template disables alarms that may hinder the typical use of the internet, usually due to bad practices that are too common to be prohibited. An example of this is an alarm raised when there is a URL containing non-ASCII characters.
By default, the profile (1) IPS_ 01 is based on the INTERNET template, since it is intended for traffic with a source address that is part of a protected network (see Inspection profiles). Other profiles are configured based on the MEDIUM template that ensures a standard level of security.
This configuration is adapted to outgoing traffic. Most alarms are configured with the action “Allow” when they do not pose a risk to the internal network.
The least critical alarms are configured with the action “Allow”.
This template is a compromise between security and excessively strict blocking; it is applied by default to incoming traffic.
Most alarms are set to “Block”.
|Approve new alarms||
If this option is selected, all new alarms represented by the icon will be accepted. This allows validating the action and alarm level set by default.
There are some buttons that allow you to sort the alarms of the inspection profile. These alarms fall under 3 categories: Applications, Protections and Malware. They can be selected by clicking on either of the 3 buttons with the same name. The button All resets the selection.
This type of alarm is raised when commonly used applications are used. Selecting this makes it possible to prepare an application security policy.
These alarms are raised by the ASQ scan: they result from blocked known attacks and the abnormal use of protocols as defined in the RFCs.
These alarms are based on the known signatures of malicious programs, recognized by suspicious types of activity. The examination of hosts at the source of this alarm category is recommended.
This field allows displaying only the alarm(s) containing the letter or word entered. Search results appear instantaneously, in order to filter profiles and contexts more easily, without the need to press “Enter”.
This list contains several protocols and services covered by the alarms. You can sort them and display only the alarms that belong to the following categories:
All categories of alarms will be displayed.
Traffic generated by mobile devices such as telephones or electronic tablets in bring your own device programs.
Applications that offer online data hosting.
Online messaging applications.
Online gaming applications.
Instant messaging, VoIP or videoconference (Skype, Google talk etc.) applications.
Image, video or online music site.
|Peer to peer||
Direct file sharing between users.
Remote PC control.
Online community sites.
This list may be modified by updating it via Active Update.
The various columns
To display the columns Signatures, Model and Application profile, click on the arrow that appears when the mouse is rolled over the title of a column and click on the corresponding checkboxes available in the Columns menu.
Number of variants of the attack or the traffic blocked by the signature that raised the alarm.
Model applied to the inspection profile that configures alarms by setting their action and level. Please refer to the previous section Applying a model.
Text describing the alarm and its characteristics.When an alarm is selected, a Help button will appear. This link will open a help window describing the alarm and summarizing its action and level.
Application profile containing the alarm configured in this inspection profile.
When an alarm is raised, the packet that set off the alarm will be subject to the action configured. You can choose to Allow or Block traffic that causes this alarm.
Three alarm levels are available: "Ignore", "Minor" and "Major".
Allows viewing new alarms, represented by the icon .
The icon represents alarms deemed sensitive. Refer to the paragraph below for further information.
Send an e-mail: an e-mail will be sent when this alarm is raised (cf. module E-mail alerts) with the following conditions:
Place the machine under quarantine: the packet that caused the alarm will be blocked with the following parameters. To remove a packet from quarantine, use Stormshield Network Realtime Monitor.
Capture the packet that raised the alarm: this capture can be viewed when checking alarms (Stormshield Network Realtime Manager or Unified Reporter), using a network sniffer such as Wireshark.
Qos applied to traffic: QoS queues can now be applied to any application traffic that generates alarms. This option therefore allows assigning a bandwidth restriction or lower priority to traffic that caused the alarm to be raised.
Next, click on Apply.
For each of the 10 profiles, you can configure them any way you wish by modifying the parameters described above.
The action Allow on an alarm stops the protocol scan on the traffic. You are therefore strongly advised to dedicate a filter rule in Firewall mode (or IDS for logs) for traffic affected by the alarm instead of setting to 'Allow' for this type of alarm.
Example of an HTTP 47 sensitive alarm
Microsoft IIS (Internet Information Server) allows managing the application server by using Microsoft technologies. The management of web servers offers the encoding of extended characters using Microsoft’s proprietary "%uXXXX" format. Since this encoding is not a standard, intrusion detection systems cannot detect attacks that use this method.
When a user attempts to access a site with a URL containing this type of encoded character and not corresponding to any valid character, the HTTP 47 alarm will be raised – Invalid %u encoding char in URL. As this alarm is considered sensitive, access to the site will be blocked.
The Allow action applied to an alarm that blocks traffic stops the protocol scan of this connection (including requests that follow).
In order to maintain protection from this type of attack and simultaneously allow access to this type of server, it is recommended that you dedicate a filter rule in Firewall mode (or IDS for logs) to the affected traffic instead of allowing traffic blocked by a sensitive alarm to Allow. As a reminder, Firewall and IDS modes allow all types of traffic that raise alarms (with detection for IDS mode).