Follow

Community Rules (versions 11.1.2 and earlier)


Welcome to Ecessa Support, we have a variety of technical information and tools for a variety of solutions. If you aren't finding a solution, or would like to talk to a technical support team member, please call 800-669-6242.

See Ecessa's full line of products and solutions

Update Schedule

The Update Schedule is used to configure the schedule used for updating from the configured community rule sources.

Schedule: What type of schedule to use to update from the community rules sources: Never, Daily, Weekly, or Monthly.

Hour: During what hour to update the sources. This is applicable for daily, weekly, and monthly schedules.

Day Of Week: On What day of the week to update the sources. This is applicable for the weekly schedules.

Day Of Month: On What day of the month to update the sources. This is applicable for the monthly schedules.

IDS/IPS Community Sources

The IDS/IPS Community Sources section is used to configure the sources from which the rules will be retrieved during updates.  The default source is et/open and all enabled rules are set to an alert action.

To add a new source click Add New Source.

To delete a source, click the Select checkbox for the associated row and click Delete.

To enable a source, click the Select checkbox for the associated row and click Enable.

To disable a source, click the Select checkbox for the associated row and click Disable.

To view the rules associated to source rules click either Export or View. The rules displayed here are the original downloaded rules. These are not the rules to look at to see the final result after the default action, categories, and signature actions are applied. To view what the final rules look like click on View Rules.

IDS/IPS Community Categories

The IDS/IPS Community Categories section is used to apply settings to all of the rules contained in a category. These category actions are applied to the matching rules downloaded from the IDS/IPS Community Sources.

To add a new category click Add New Category.

To delete a category, click the Select checkbox for the associated row and click Delete.

To enable a category, click the Select checkbox for the associated row and click Enable.

To disable a category, click the Select checkbox for the associated row and click Disable.

To view the rules associated to a category click either Export or View.

Category Settings

Name: Enter a name for the IDS/IPS category.

Action: Configure the action for the category. This will apply to all rules matched by the category.

  • enable: The associated rules matching the category will be enabled. This is useful if there are rules that the community source marked as disabled and the user wants them to be enabled.
  • disable: The associated rules matching the category will be disabled. This is useful if there are rules that are generating too many alerts for your traffic.
  • drop: The associated rules matching the category will be set to drop.
  • alert: The associated rules matching the category will be set to alert.
  • reject: The associated rules matching the category will be set to reject.

Class: Select the classtype of the rule definition to match on.

Pattern: Optionally enter a string to further match within a rule definition.

Apply to Disabled Rules: When checked the category will also enable and apply the action to the associated rules that were initially disabled by the community rule sources.

IDS/IPS Community Categories Examples

By default all rules in the downloaded et/open rule set have their action set to Alert.  Some rules are also disabled by default which is denoted by a # symbol before the rule.  The categories added to the IDS/IPS Community Categories section allow changing the action of all the rules in the category.  Some possible uses of these categories are to:

  • Disable all of the rules in a category so they do not generate alerts
  • Change the actions of all of the rules in a category such as from the default, Alert, to Drop or Reject
  • Enable all of the rules in a category that are disabled by default

For example, to change the action of all rules in the "Not Suspicious Traffic" category from Alert to Disable the following category would be added.

category_settings_1.png

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.