Difference between revisions of "ASL HIDS"
m (→Suspicious Behavior Rules) |
(→Configuration) |
||
(One intermediate revision by one user not shown) | |||
Line 9: | Line 9: | ||
Step 1) Log into the ASL GUI | Step 1) Log into the ASL GUI | ||
− | Step 2) Click on the | + | Step 2) Click on the Settings Tab |
Step 3) Select ASL Configuration | Step 3) Select ASL Configuration | ||
+ | |||
+ | Step 4) Select Host Intrusion Detection System | ||
+ | |||
+ | |||
+ | You can also edit specific HIDS rules. You can find the HIDS rules by following this process: | ||
+ | |||
+ | Step 1) Log into the ASL GUI. | ||
+ | |||
+ | Step 2) Click on the ASL tab | ||
+ | |||
+ | Step 3) Select "WAF and HIDS Rules" | ||
+ | |||
+ | Step 4) Select "HIDS" | ||
= Usage = | = Usage = | ||
Line 17: | Line 30: | ||
== Suspicious Behavior Rules == | == Suspicious Behavior Rules == | ||
− | By default, [[ASL]] comes with a | + | By default, [[ASL]] comes with a powerful set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will only alert on these events, it will not take an active response actions. |
To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address). | To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address). |
Latest revision as of 13:34, 25 September 2015
Contents |
[edit] Introduction
ASL includes a powerful Host Based Intrusion Detection System (HIDS). This HIDS will look for suspicious activity, suspicious processes, malicious files and other signs of malicious and supsicious activiy. It will also aggregate the systems logs and look for signs of attack, authentication failures, errors in applications, and other important information.
[edit] Configuration
You can access the HIDS configuration options by following this process:
Step 1) Log into the ASL GUI
Step 2) Click on the Settings Tab
Step 3) Select ASL Configuration
Step 4) Select Host Intrusion Detection System
You can also edit specific HIDS rules. You can find the HIDS rules by following this process:
Step 1) Log into the ASL GUI.
Step 2) Click on the ASL tab
Step 3) Select "WAF and HIDS Rules"
Step 4) Select "HIDS"
[edit] Usage
[edit] Suspicious Behavior Rules
By default, ASL comes with a powerful set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will only alert on these events, it will not take an active response actions.
To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).
[edit] Reconfiguring Rules
To reconfigure a rule simply pull up the rule manager and type in the rule ID into the search field. For example:
Step 1) Log into the ASL GUI
Step 2) Click on the Configuration Tab
Step 3) Select "Rule Management"
This will bring up the Rule Management window.
Step 4) Select the "Rules" Tab
Step 5) Type in the rule ID, for example 60815
Step 6) Click on the down arrow next to the rule ID, this will pull up all the options for the rule.
Example:
Say you wanted to change the behavior for rule ID 60815 so that it blocked any detected events. Follow steps 1-6 above, and then:
Step 7) Select the Active Response drop down and change it to "yes"
Step 8) Optional: We also recommend you change the alert level to 10, that way it will both show up in the ASL GUI and you will get an email alerting you when its been activated. If you do not want to be emailed or alerted, just leave the level at 4. You can also select Email and Logging options should you prefer that you be emailed but not notified in the GUI and/or vice versa.