Difference between revisions of "ASL HIDS"

From Atomicorp Wiki
Jump to: navigation, search
m (Suspicious Behavior Rules)
(Configuration)
 
(One intermediate revision by one user not shown)
Line 9: Line 9:
 
Step 1) Log into the ASL GUI
 
Step 1) Log into the ASL GUI
  
Step 2) Click on the Configuration Tab
+
Step 2) Click on the Settings Tab
  
 
Step 3) Select ASL Configuration
 
Step 3) Select ASL Configuration
 +
 +
Step 4) Select Host Intrusion Detection System
 +
 +
 +
You can also edit specific HIDS rules.  You can find the HIDS rules by following this process:
 +
 +
Step 1) Log into the ASL GUI.
 +
 +
Step 2) Click on the ASL tab
 +
 +
Step 3) Select "WAF and HIDS Rules"
 +
 +
Step 4) Select "HIDS"
  
 
= Usage =
 
= Usage =
Line 17: Line 30:
 
== Suspicious Behavior Rules ==
 
== Suspicious Behavior Rules ==
  
By default, [[ASL]] comes with a power set of rules that should detect and stop most attacks, without generating false positives.  ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect.  ASL will alert on these events, it just will not take an active response actions.
+
By default, [[ASL]] comes with a powerful set of rules that should detect and stop most attacks, without generating false positives.  ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect.  ASL will only alert on these events, it will not take an active response actions.
  
 
To change this behavior you can search for rules with an alert level below 5.  Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).
 
To change this behavior you can search for rules with an alert level below 5.  Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).

Latest revision as of 13:34, 25 September 2015

Contents

[edit] Introduction

ASL includes a powerful Host Based Intrusion Detection System (HIDS). This HIDS will look for suspicious activity, suspicious processes, malicious files and other signs of malicious and supsicious activiy. It will also aggregate the systems logs and look for signs of attack, authentication failures, errors in applications, and other important information.

[edit] Configuration

You can access the HIDS configuration options by following this process:

Step 1) Log into the ASL GUI

Step 2) Click on the Settings Tab

Step 3) Select ASL Configuration

Step 4) Select Host Intrusion Detection System


You can also edit specific HIDS rules. You can find the HIDS rules by following this process:

Step 1) Log into the ASL GUI.

Step 2) Click on the ASL tab

Step 3) Select "WAF and HIDS Rules"

Step 4) Select "HIDS"

[edit] Usage

[edit] Suspicious Behavior Rules

By default, ASL comes with a powerful set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will only alert on these events, it will not take an active response actions.

To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).

[edit] Reconfiguring Rules

To reconfigure a rule simply pull up the rule manager and type in the rule ID into the search field. For example:

Step 1) Log into the ASL GUI

Step 2) Click on the Configuration Tab

Step 3) Select "Rule Management"

This will bring up the Rule Management window.

Step 4) Select the "Rules" Tab

Step 5) Type in the rule ID, for example 60815

Step 6) Click on the down arrow next to the rule ID, this will pull up all the options for the rule.

Example:

Say you wanted to change the behavior for rule ID 60815 so that it blocked any detected events. Follow steps 1-6 above, and then:

Step 7) Select the Active Response drop down and change it to "yes"

Step 8) Optional: We also recommend you change the alert level to 10, that way it will both show up in the ASL GUI and you will get an email alerting you when its been activated. If you do not want to be emailed or alerted, just leave the level at 4. You can also select Email and Logging options should you prefer that you be emailed but not notified in the GUI and/or vice versa.

[edit] Notes

Personal tools