View by inspection profile

Selecting the encryption profile

You can configure up to 10 profiles, bearing by default the names “IPS_00”, “IPS_01” etc. These names cannot be modified in the Alarms module but in the menu Application protection > Inspection profile (Go to profiles button):

  1. Select a configuration from the drop-down list.
  2. Click on Edit and select Rename.
  3. Change the name of the profile in the field and add a comment if necessary.
  4. Click on Update.

You will see your modified profile in the drop-down list of configurations in the Applications and Protections module.

Selecting multiple objects

A multiple selection allows assigning the same action to several alarms. Select several successive alarms using the Shift ñkey or individually by holding down the Ctrl key. You can also remove an item from an existing selection with the Ctrl key.

Some column titles have the icon . When you click on it, a menu appears and suggests assigning a setting to several selected alarms (Action, Level, New and Advanced).

Example: Several lines can be deleted at the same time, by selecting them with the Ctrl key and pressing on Delete.

You can perform several actions in the profile:

Applying a model

Several templates make it possible to configure the profile of alarms by defining their action (Allow or Block) and their level (Ignore, Minor or Major).

The templates LOW, MEDIUM and HIGH are distinguished essentially by the action of the Protections alarms, such as alarms relating to peer-to-peer networks or instant messaging. By default, Applications alarms allow traffic and Malware alarms block it.

The INTERNET template disables alarms that may hinder the typical use of the internet, usually due to bad practices that are too common to be prohibited. An example of this is an alarm raised when there is a URL containing non-ASCII characters.

By default, the profile (1) IPS_ 01 is based on the INTERNET template, since it is intended for traffic with a source address that is part of a protected network (see Inspection profiles). Other profiles are configured based on the MEDIUM template that ensures a standard level of security.

Internet This configuration is adapted to outgoing traffic. Most alarms are configured with the action Allow when they do not pose a risk to the internal network.
Low The least critical alarms are configured with the action Allow.
Medium This template is a compromise between security and excessively strict blocking; it is applied by default to incoming traffic.
High Most alarms are set to Block.

New alarms

Approve new alarms If this option is selected, all new alarms represented by the icon will be accepted. This allows validating the action and alarm level set by default.


There are some buttons that allow you to sort the alarms of the inspection profile. These alarms fall under 3 categories: Applications, Protections and Malware. They can be selected by clicking on either of the 3 buttons with the same name. The button All resets the selection.

Applications This type of alarm is raised when commonly used applications are used. Selecting this makes it possible to prepare an application security policy.
Protections These alarms are raised by the IPS scan: they result from blocked known attacks and the abnormal use of protocols as defined in the RFCs.
Malware These alarms are based on the known signatures of malicious programs, recognized by suspicious types of activity. The examination of hosts at the source of this alarm category is recommended.


This field allows displaying only the alarm(s) containing the letter or word entered. Search results appear instantaneously, in order to filter profiles and contexts more easily, without the need to press “Enter”.


This list contains several protocols and services covered by the alarms. You can sort them and display only the alarms that belong to the following categories:

None All categories of alarms will be displayed.
BYOD Traffic generated by mobile devices such as telephones or electronic tablets in bring your own device programs.
Cloud Storage Applications that offer online data hosting.
E-mail address Online messaging applications.
Game Online gaming applications.
Communication Instant messaging, VoIP or videoconference (Skype, Google talk etc.) applications.
Multimedia Image, video or online music site.
Peer to peer Direct file sharing between users.
Remote access Remote PC control.
Social networks Online community sites.
Web Other applications.

This list may be modified by updating it via Active Update.

The various columns

To display the columns Signatures, Model and Application profile, click on the arrow that appears when the mouse is rolled over the title of a column and click on the corresponding checkboxes available in the Columns menu.

Patterns Number of variants of the attack or the traffic blocked by the signature that raised the alarm.
Model Model applied to the inspection profile that configures alarms by setting their action and level. Please refer to the previous chapter Applying a model.
Message Text describing the alarm and its characteristics.
When an alarm is selected, a Help button will appear. This link will open a help window describing the alarm and summarizing its action and level.
Application profile Application profile containing the alarm configured in this inspection profile.
Action When an alarm is raised, the configured action will be applied to the packet that set off the alarm. You can choose to Allow or Block traffic that causes this alarm.
Level There are three levels of alarms: "Ignore", "Minor" and "Major".
New Allows viewing new alarms, represented by the icon .
Context: id Alarm name.
The icon represents alarms deemed sensitive.
Refer to the paragraph below for further information.
Advanced Send an e-mail: an e-mail will be sent when this alarm is raised (cf. module E-mail alerts) with the following conditions:
  • Number of alarms before sending: minimum number of alarms required before an e-mail is sent, during the period defined hereafter.
  • During the period of (seconds): period in seconds during which alarms have been raised, before an e-mail is sent.
  • Place the machine under quarantine: the packet that caused the alarm will be blocked with the following parameters.
  • for a period of (minutes): duration of the quarantine
  • Qos applied to traffic: QoS queues can now be applied to any application traffic that generates alarms. This option therefore makes it possible to assign a bandwidth restriction or lower priority to traffic that caused the alarm to be raised.
  • Capture the packet that raised the alarm: this capture can be viewed when checking alarms (Stormshield Network Realtime Manager or Unified Reporter), using a network sniffer such as Wireshark.
  • ACK queue: QoS ACK queues can now be applied to any TCP ACK traffic that generates alarms. This option therefore allows assigning a bandwidth restriction or lower priority to traffic that caused the alarm to be raised.

Next, click on Apply.

For each of the 10 profiles, you can configure them any way you wish by modifying the parameters described above.

Sensitive alarm

The action Allow on an alarm stops the protocol analysis on the traffic. You are therefore strongly advised to dedicate a filter rule in Firewall mode (or IDS for logs) for traffic affected by the alarm instead of setting to 'Allow' for this type of alarm.

Example of an HTTP 47 sensitive alarm

Microsoft IIS (Internet Information Server) allows managing the application server by using Microsoft technologies. The management of web servers offers the encoding of extended characters using Microsoft’s proprietary "%uXXXX" format. Since this encoding is not a standard, intrusion detection systems cannot detect attacks that use this method.

When a user attempts to access a site with a URL containing this type of encoded character and not corresponding to any valid character, the HTTP 47 alarm will be raised – Invalid %u encoding char in URL. As this alarm is considered sensitive, access to the site will be blocked.

The Allow action applied to an alarm that blocks traffic stops the protocol analysis of this connection (including requests that follow).

In order to maintain protection from this type of attack and simultaneously allow access to this type of server, it is recommended that you dedicate a filter rule in Firewall mode (or IDS for logs) to the affected traffic instead of allowing traffic blocked by a sensitive alarm to Allow. As a reminder, Firewall and IDS modes allow all types of traffic that raise alarms (with detection for IDS mode).