Intrusion Prevention Rules

Whereas Firewall Rules and Firewall Stateful Configurations examine a packet's control information (data that describes the packet), Intrusion Prevention Rules examine the actual content of the packet (and sequences of packets). Based on the conditions set within the Intrusion Prevention Rule, various actions are then carried out on these packets: from replacing specifically defined or suspicious byte sequences, to completely dropping packets and resetting the connection.

Intrusion Prevention Rule icons:

Normal Intrusion Prevention Rules
Intrusion Prevention Rules that operate according to a schedule
Intrusion Prevention Rules that have configuration options
Intrusion Prevention Rules must be configured before use

The Intrusion Prevention Rules page lets you create and manage Intrusion Prevention Rules. From the toolbar or the right-click shortcut menu you can:

Create New Intrusion Prevention Rules from scratch ()
Import () Intrusion Prevention Rules from an XML file (located under the New menu.)
Examine or modify the Properties of an existing Intrusion Prevention Rule ()
Duplicate (and then modify) existing Intrusion Prevention Rules ()
Delete an Intrusion Prevention Rule ()
Export () one or more Intrusion Prevention Rules to an XML or CSV file. (Either export them all using the Export... button, or choose from the drop-down list to export only those that are selected or displayed)
Add/Remove Columns () columns can be added or removed by clicking Add/Remove Columns. The order in which the columns are displayed can be controlled by dragging them into their new position. Listed items can be sorted and searched by the contents of any column.

Clicking New () or Properties () displays the Intrusion Prevention Rule Properties window.

Note the Configuration tab. Intrusion Prevention Rules from Trend Micro are not directly editable through Vulnerability ProtectionDeep Security Manager. Instead, if the Intrusion Prevention Rule requires (or allows) configuration, those configuration options will be available on the Configuration tab. Custom Intrusion Prevention Rules that you write yourself will be editable, in which case the Rules tab will be visible.

Intrusion Prevention Rule Properties

General Information

Name: The name of the Intrusion Prevention Rule.
Description: The description of the Intrusion Prevention Rule.
Minimum Agent/Appliance Version: The minimum version of the Vulnerability ProtectionDeep Security Agent/Appliance required to implement this Intrusion Prevention Rule.

Details

Application Type: The Application Type this Intrusion Prevention Rule will be grouped under. You can select an existing type, or create a new one.
You can also edit existing types from this panel. Remember that if you edit an existing Application Type from here, the changes will be applied to all security elements making use of it.
Priority: The priority level of the Intrusion Prevention Rule. Higher priority rules are applied before lower priority rules.
Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of Intrusion Prevention Rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. (See Administration > System Settings > Ranking.)
CVSS Score: A measure of the severity of the vulnerability according the National Vulnerability Database.
Detect Only: Use this checkbox when testing new rules. By checking this box, the rule will create a log entry prefaced with the words "detect only:" but will not interfere with traffic. If you set the "disable logging" checkbox in the next panel (below), the rule's activity will not be logged regardless of whether "Detect Only" is checked or not.
Some Intrusion Prevention Rules are designed to only operate in "Detect Only" mode and cannot be configured to block traffic. For these rules, the "Detect Only" option will be set and locked so it cannot be changed.

Events

Disable Event Logging: Check to disable Event logging.
- Generate Event on Packet Drop: Log the dropping/blocking of a packet.
- Always Include Packet Data: Includes the packet data in the log entry.
- Enable Debug Mode: Logs multiple packets preceding and following the packet that triggered the rule. Trend Micro recommends only using this option if instructed to do so by your support provider.

Vulnerability ProtectionDeep Security can display X-Forwarded-For headers in Intrusion Prevention events when they are available in the packet data. This information can be useful when the Vulnerability ProtectionDeep Security Agent is behind a load balancer or proxy. When X-Forwarded-For header data is available, it is displayed in the Event's Properties window. To enable this feature, the "Always Include Packet Data" option must be selected. In addition, rule 1006540 " Enable X-Forwarded-For HTTP Header Logging" must be enabled.

Identification (Displayed for Trend Micro rules only)

Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist).
Issued: The date the Rule was released (not downloaded).
Last Updated: The last time the Rule was modified either locally or during Security Update download.
Identifier: The rule's unique identifier tag.

Vulnerability (Displayed for Trend Micro rules only)

Displays information about this particular vulnerability. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. (For information on this scoring system, see the CVSS page at the National Vulnerability Database.)

Configuration (Displayed for Trend Micro rules only)

Configuration Options: If the downloaded rule has any configurable options, they will be displayed here. Examples of options might be header length, allowed extensions for http, cookie length, etc. If you apply a rule without setting a required option, an Alert will be triggered telling you which rule on which computer(s) requires configuration. (This also applies to any rules that are downloaded and automatically applied by way of a Security Update.)

Intrusion Prevention Rules that have configuration options are displayed in the Intrusion Prevention Rules page with a small gear over their icon (

View Rules (Available for custom Intrusion Prevention Rules only)

The View Rules... button will be available for Intrusion Prevention Rules that have not been marked confidential by Trend Micro. (Contact Trend Micro for information on writing your own Intrusion Prevention Rules.)

Options

Alert

Select whether or not this Intrusion Prevention Rule should trigger an Alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the drop-down list.

Schedule

Select whether the Intrusion Prevention Rule should only be active during a scheduled time.

Intrusion Prevention Rules that are active only at scheduled times are displayed in the Intrusion Prevention Rules page with a small clock over their icon (

With Agent-based protection, schedules use the same time zone as the endpoint operating system. With Agentless protection, schedules use the same time zone as the Deep Security Virtual Appliance.

Context

Contexts are a powerful way of implementing different security policies depending on the computer's network environment. You will most often use Contexts to create Policies which apply different Firewall and Intrusion Prevention Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office.

Contexts are designed to be associated with Firewall and Intrusion Prevention Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied.

To determine a computer's location, Contexts examine the nature of the computer's connection to its domain controller. For more information on Contexts, see Policies > Common Objects > Other > Contexts.

Recommendation Options

Use this option to exclude this Intrusion Prevention Rule from Rule recommendations made after Recommendation Scans.

Assigned To

This tab displays the list of computers and Policies to which this Intrusion Prevention Rule is assigned.