Difference between revisions of "ASL HIDS"

From Atomicorp Wiki
Jump to: navigation, search
m
m (Suspicious Behavior Rules)
Line 19: Line 19:
 
By default, [[ASL]] comes with a power set of rules that should detect and stop most attacks, without generating false positives.  ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect.  ASL will alert on these events, it just will not take an active response actions.
 
By default, [[ASL]] comes with a power set of rules that should detect and stop most attacks, without generating false positives.  ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect.  ASL will alert on these events, it just will not take an active response actions.
  
To change this behavior you can search for rules with an alert level below 7.  Level 7 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).
+
To change this behavior you can search for rules with an alert level below 5.  Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).
  
 
== Reconfiguring Rules ==
 
== Reconfiguring Rules ==

Revision as of 15:26, 8 May 2013

Contents

Introduction

ASL includes a powerful Host Based Intrusion Detection System (HIDS). This HIDS will look for suspicious activity, suspicious processes, malicious files and other signs of malicious and supsicious activiy. It will also aggregate the systems logs and look for signs of attack, authentication failures, errors in applications, and other important information.

Configuration

You can access the HIDS configuration options by following this process:

Step 1) Log into the ASL GUI

Step 2) Click on the Configuration Tab

Step 3) Select ASL Configuration

Usage

Suspicious Behavior Rules

By default, ASL comes with a power set of rules that should detect and stop most attacks, without generating false positives. ASL also includes additional rules that are enabled, but are set to a lower priority and will not automatically block the activities they detect. ASL will alert on these events, it just will not take an active response actions.

To change this behavior you can search for rules with an alert level below 5. Level 5 is the default level to block an action (ASL will automatically block the action from succeeding and will, if configured to do so, shun the IP address).

Reconfiguring Rules

To reconfigure a rule simply pull up the rule manager and type in the rule ID into the search field. For example:

Step 1) Log into the ASL GUI

Step 2) Click on the Configuration Tab

Step 3) Select "Rule Management"

This will bring up the Rule Management window.

Step 4) Select the "Rules" Tab

Step 5) Type in the rule ID, for example 60815

Step 6) Click on the down arrow next to the rule ID, this will pull up all the options for the rule.

Example:

Say you wanted to change the behavior for rule ID 60815 so that it blocked any detected events. Follow steps 1-6 above, and then:

Step 7) Select the Active Response drop down and change it to "yes"

Step 8) Optional: We also recommend you change the alert level to 10, that way it will both show up in the ASL GUI and you will get an email alerting you when its been activated. If you do not want to be emailed or alerted, just leave the level at 4. You can also select Email and Logging options should you prefer that you be emailed but not notified in the GUI and/or vice versa.

Notes

Personal tools