Difference between revisions of "ASL HIDS"
m |
m (→Suspicious Behavior Rules) |
||
Line 19: | Line 19: | ||
By default, [[ASL]] comes with a power set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will alert on these events, it just will not take an active response actions. | By default, [[ASL]] comes with a power set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will alert on these events, it just will not take an active response actions. | ||
− | To change this behavior you can search for rules with an alert level below | + | To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address). |
== Reconfiguring Rules == | == Reconfiguring Rules == |
Revision as of 15:26, 8 May 2013
Contents |
Introduction
ASL includes a powerful Host Based Intrusion Detection System (HIDS). This HIDS will look for suspicious activity, suspicious processes, malicious files and other signs of malicious and supsicious activiy. It will also aggregate the systems logs and look for signs of attack, authentication failures, errors in applications, and other important information.
Configuration
You can access the HIDS configuration options by following this process:
Step 1) Log into the ASL GUI
Step 2) Click on the Configuration Tab
Step 3) Select ASL Configuration
Usage
Suspicious Behavior Rules
By default, ASL comes with a power set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will alert on these events, it just will not take an active response actions.
To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).
Reconfiguring Rules
To reconfigure a rule simply pull up the rule manager and type in the rule ID into the search field. For example:
Step 1) Log into the ASL GUI
Step 2) Click on the Configuration Tab
Step 3) Select "Rule Management"
This will bring up the Rule Management window.
Step 4) Select the "Rules" Tab
Step 5) Type in the rule ID, for example 60815
Step 6) Click on the down arrow next to the rule ID, this will pull up all the options for the rule.
Example:
Say you wanted to change the behavior for rule ID 60815 so that it blocked any detected events. Follow steps 1-6 above, and then:
Step 7) Select the Active Response drop down and change it to "yes"
Step 8) Optional: We also recommend you change the alert level to 10, that way it will both show up in the ASL GUI and you will get an email alerting you when its been activated. If you do not want to be emailed or alerted, just leave the level at 4. You can also select Email and Logging options should you prefer that you be emailed but not notified in the GUI and/or vice versa.