Configuring Intrusion Prevention

You can configure signature filters in an intrusion prevention profile to filter out the signatures containing the same features and set an action for the threats matching these features. You can also add a signature as an exception and configure a different action for the exception signature.

Context

The device has multiple default intrusion prevention profiles for different application scenarios, as shown in Table 1. The default intrusion prevention profiles can be displayed, cloned, or referenced in security policies, but cannot be modified or deleted.

When you reference a profile in a security policy, you can view the name of the default profile in the drop-down list. To view the configuration result, choose System > Configuration File Management. In Current Configuration, you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

**Table 1** Default intrusion prevention profiles
Name	Target	Severity	Operating System	Application Program	Protocol	Category	Action	Application Scenario
video_surveillance	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	DNS, HTTP, FTP, TELNET, SSH, RTSP, SSL, UDP, TCP	All	Default	The intrusion prevention profile applies when the device is deployed in video surveillance scenarios.
strict	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	All	All	Block	The intrusion prevention profile applies to the scenarios in which the device is required to block all matched packets.
web_server	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	DNS, HTTP, FTP	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a web server.
file_server	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	DNS, SMB, NETBIOS, NFS, SUNRPC, MSRPC, FILE, TELNET	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a file server.
dns_server	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	DNS	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DNS server.
mail_server	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	DNS, IMAP4, SMTP, POP3	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a mail server.
inside_firewall	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	Except TELNET and TFTP	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall.
dmz	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	Except NETBIOS, NFS, SMB, TELNET and TFTP	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DMZ.
outside_firewall	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	All	Except Scanner	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a firewall.
ids	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	All	All	Alert	The intrusion prevention profile applies to the scenarios in which the device is deployed off-line as an IDS.
default	All	Low, Medium, High	Unix-like, Windows, Android, iOS, Other	All	All	All	Default	The intrusion prevention profile applies to the scenarios in which the device is deployed in-line as an IPS.

Procedure

Choose Object > Security Profiles > Intrusion Prevention.
In Intrusion Prevention Profile List, select either of the two methods to create an intrusion prevention profile.
- Click Add.
- If the intrusion prevention profile to be created is similar to an existing user-defined one, select and clone the predefined or the user-defined one, click Copy, and modify the cloned profile to create the profile.

Configure name, description, attack evidence collection and domain name checking.

Parameters	Description
Name	Name of the intrusion prevention profile
Description	Description of the intrusion prevention profile
Attack Evidence Collection	If you select Enable, the FW will enable the attack evidence collection function, and the device starts to collects the packets that match the intrusion prevention profile. NOTE: The attack evidence collection function relies on hard disks and available only when the hard disks are installed. Attack evidence collection does not apply to HTTPS traffic. When the TCP proxy function is enabled on a device, the attack evidence collection function is unavailable. When the antivirus full-scan mode is enabled on the device, if the antivirus profile is referenced in the security policy matching FTP traffic, FTP traffic is processed in proxy mode by default. In this case, the intrusion prevention function cannot be used to collect attack evidence for FTP traffic. By default, attack evidence collection has the following restrictions: A maximum of five attack evidence collection sessions are supported for a single signature ID on a single CPU. When the system memory space is less than 200 MB, the device does not collect attack evidence. When the system memory space is restored to 400 MB, the device restores attack evidence collection. A single CPU allows a maximum of 512 MB buffered attack evidence collection data. The maximum data volume of attack evidence that can be cached in a single session is as follows: Versions earlier than V600R007C20SPC500: 100 KB. If the size of the file whose data needs to be collected exceeds 100 KB, the device does not perform attack evidence collection on the session. V600R007C20SPC500 to V600R007C20SPC601 versions: 30 KB. If the size of the file whose data needs to be collected exceeds 30 KB, the device does not perform attack evidence collection on the session. V600R007C20SPC602 and later versions: 10 KB. If the size of the file whose data needs to be collected exceeds 10 KB, the device does not perform attack evidence collection on the session. If the action in the intrusion prevention profile is block, the device collects only the identified threat packets and previous packets. Subsequent packets of the same session are blocked and discarded, and therefore are not collected. If the action in the intrusion prevention profile is not block, the device collects all threat packets of the session for evidence collection. Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection. One of the extreme conditions is that: The action in the intrusion prevention profile is not block and the device collects the packets that match the intrusion prevention profile. However, the storage space is insufficient after the device collects some threat packets. As a result, the device stops collecting attack evidence. Log in to the device using an auditor account, choose Monitor > Log > Threat Log, locate the entry whose Threat Type is Intrusion, click of the entry to view and download the data packets or click to directly download the packets. You can view and download the data package only when you log in to the device using an auditor account.
Domain Name Checking	If Enable is selected, domain name-based filtering is enabled. The domain name-based filtering function enables the device to filter out packets using the malicious domain name signature database. Upon receiving a packet matching a malicious domain name, the device implements the specified action and logs the threats for auditing and troubleshooting. If you determine that certain domain names are not malicious domain names after analyzing the threat logs, click Exception Domain next to each of these domain names to add them as exception domain names.
Associated Detection	If Enable is selected, associated detection is enabled. Associated detection is a detection process based on the associated signature and usually applies to detecting complex network attack behavior.
Action	Operation performed by the device once the target domain name of a packet matches any entry in the malicious domain name signature database. Available actions are as follows: Alert(default) Block

Configure signature filters.

You can configure a signature filter to filter out signatures matching the specified conditions. A signature can be added to a signature filter only after meeting all filtering conditions.

Signature filters are displayed in top-down order on the Web UI. The signature filters configured first match packets preferentially.

In Signature Filter List, click Add.

In Add Signature Filter, set the following parameters.

Parameters	Description
Name	Name of the signature filter.
Target	Target of a signature. Signatures matching the specified conditions are added to the signature filter. Server: detects intrusions (especially vulnerability exploits) to a server. For example, the local end (server) is attacked when accessed by the peer end. Client: detects intrusions (especially vulnerability exploits) to a client. For example, a PC (client) accesses a malicious code-embedded server and is attacked.
Severity	You can filter signatures by severity.
OS	You can filter signatures by operating system. For a user-defined signature, the operating system is not specified, which means the user-defined signature matches all operating systems.
Application	You can filter signatures by application programs.
Protocol	You can filter signatures by protocol. The protocols of predefined signatures are dynamically generated by the intrusion prevention signature database.
Category	You can filter signatures by intrusion category. The intrusion categories of predefined signatures are dynamically generated by the intrusion prevention signature database whereas those of user-defined signatures are generated by the system.
Action	Action for a signature filter. Default: The device processes packets matching signatures of the signature filter based on the default actions for the signatures. Alert: The device generates alarms on and logs all packets matching any signature of the signature filter. The action for the signature is ignored. Block: The device blocks and logs all packets matching any signature of the signature filter. The action for the signature is ignored.

Optional: Click Preview to view the filtering result.
You can click the signature name to view or modify the signature. You can modify only user-defined signatures.

After you configure a signature filter, the system automatically classifies the matched signatures by intrusion category and in ascending order of signature ID.

Click Close.
Click OK to complete the configuration of the signature filter.

Optional: Configure signature exception.
You can add a signature as an exception and configure a different action for the exception signature.

An exception signature has a higher priority than a signature filter. If different actions are configured for an exception signature and a signature filter, the action for the exception signature applies.
1. Add signatures to the signature exception list.
  You can perform either of the following methods to add signatures to the signature exception list:
  
  Method 1: In Signature Exception List, enter the ID of the signature to be added and click Add.
  Method 2:
  1. In Signature Filter List, select the name of a signature filter and click View Result.
  2. In View Filtering Results, select the signature to be added to the signature exception list and click Add ID to Exception List.
  Then you can view the added exception signatures in the Signature Exception group box, and click a signature name to view or modify the signature. You can modify only user-defined signatures.
  
  You can also choose Monitor > Log > Threat Log and add a signature ID to signature exception. For details, see Verification and Check.
2. Select the desired action from the Action drop-down list box of the exception signature to be modified.
  After you modify the action, the default action for the signature becomes invalid. Available actions for exception signatures are as follows:
  - Allow(default): The device permits the matched packets and does not generate logs.
  - Alert: The device permits the matched packets and generates logs.
  - Block: The device discards the matched packets, blocks the data flow to which the packet belongs, and generates a log.
  - Block+Isolation (Source IP): The device discards the matched packets, blocks the data flow to which the packets belong, generates logs, and blacklists the source IP addresses of these packets.
  - Block+Isolation (Destination IP): The device discards the matched packets, blocks the data flow to which the packets belong, generates logs, and blacklists the destination IP addresses of these packets.
3. If Action is set to Block+Isolation (Source IP) or Block+Isolation (Destination IP), you can specify the validity period of the blacklist entries by setting Timeout. After the timeout is reached, the blacklisted source or destination IP address will be removed from the blacklist. The default value of Timeout is five minutes.
  The value range of the Timeout interval is as follows:
  - Versions earlier than V600R007C20SPC601: 1 to 30 minutes.
  - V600R007C20SPC601 and later versions: 0 to 65535 minutes, where 0 minutes indicates that the blacklist is always valid.

Optional: Configure protocol anomaly detection.

Perform anomaly detection for HTTP and DNS protocols.

Parameters	Description
HTTP
SSH over HTTP	Detects whether an HTTP traffic contains the SSH traffic. Available actions include: Alert: When an HTTP traffic contains the SSH traffic, the packet is permitted, and a log is recorded. Block: When an HTTP traffic contains the SSH traffic, the packet is blocked, and a log is recorded.
Host	Detects whether an HTTP packet contains multiple Host fields. Available actions include: Alert: When an HTTP packet contains multiple Host fields, the packet is permitted, and a log is recorded. Block: When an HTTP packet contains multiple Host fields, the packet is blocked, and a log is recorded.
X-Online-Host	Detects the X-Online-Host field in an HTTP packet. Matching conditions include: X-Online-Host Field: When an HTTP packet contains the X-Online-Host field, an anomaly is detected. Multiple X-Online-Host Fields: When an HTTP packet contains two or more X-Online-Host fields, an anomaly is detected. Blacklist: Detects whether the domain name or IP address in an X-Online-Host field matches the blacklist. If yes, an anomaly is detected. Available actions include: Alert: When the X-Online-Host field in an HTTP packet is abnormal, the packet is permitted, and a log is recorded. Block: When the X-Online-Host field in an HTTP packet is abnormal, the packet is blocked, and a log is recorded.
X-Forwarded-For	Detects the X-Forwarded-For field in an HTTP packet. Matching conditions include: X-Forwarded-For Field: When an HTTP packet contains the X-Forwarded-For field, an anomaly is detected. Whitelist: Detects whether all proxy IP addresses in the X-Forwarded-For field match the whitelist. If no, an anomaly is detected. Available actions include: Alert: When the X-Forwarded-For field in an HTTP packet is abnormal, the packet is permitted, and a log is recorded. Block: When the X-Forwarded-For field in an HTTP packet is abnormal, the packet is blocked, and a log is recorded.
DNS
Protocol Format Anomaly	Detects whether the protocol format of a DNS packet is abnormal. Available actions include: Alert: When the protocol format of a DNS packet is abnormal, the packet is permitted, and a log is recorded. Block: When the protocol format of a DNS packet is abnormal, the packet is blocked, and a log is recorded.
DNS Request	Detects the value of the query type field in a DNS packet. To detect the values of all query type fields, set a default action, which can be: Allow: The packet is permitted. Alert: The packet is permitted, and a log is recorded. Block: The packet is blocked, and a log is recorded. To detect the value of a specific query type field, select a query type from the drop-down list of Packet Search Types or directly enter the value of a query type. Then click Add and set the action, which can be: Allow: When the query type of the DNS packet is as specified, the packet is permitted. Alert: When the query type of the DNS packet is as specified, the packet is permitted, and a log is recorded. Block: When the query type of the DNS packet is as specified, the packet is blocked, and a log is recorded.
Abnormal DNS Domain Characters	Detects whether a DNS domain name has an abnormal character. Available actions include: Alert: When the DNS domain name has an abnormal character, the packet is permitted, and a log is recorded. Block: When the DNS domain name has an abnormal character, the packet is blocked, and a log is recorded.
DNS Domain Length	Detects whether the DNS domain name is too long. The default value of Maximum detection length is 64. Available actions include: Alert: When the DNS domain name length is greater than the maximum value, the packet is permitted, and a log is recorded. Block: When the DNS domain name length is greater than the maximum value, the packet is blocked, and a log is recorded.
DNS Request Sessions	Detects whether the number of DNS session requests exceeds the maximum value. The default value of Maximum number of requests is 20. Available actions include: Alert: If the number of DNS session requests exceeds the maximum value, the packet is permitted, and a log is recorded. Block: If the number of DNS session requests exceeds the maximum value, the packet is blocked, and a log is recorded.

Click OK.
After the configuration is complete, view the information about the profile in Intrusion Prevention Profile List. Select an intrusion prevention profile and click View Result to view all matched signatures.
Reference the intrusion prevention profile in the security policy.
For details on how to configure the security policy, see Configuring a Security Policy Using the Web UI.
Click Commit on the upper right of the web page to commit the intrusion prevention profile.
The created or modified intrusion prevention profile does not take effect immediately. You need to click Commit on the upper right of the web page to activate the configuration. To save time, commit the configuration after you complete all operations on the intrusion prevention profile.

Follow-up Procedure

After configuring intrusion prevention, you can adjust the configuration as follows:

To modify the priority of a signature filter, select the signature filter in Signature Filter List, click Move, enter the destination position, and click OK.

Check or release the reference between the security policy and profile.

To check for profile that is referenced by security policies, click View under References in the list of profile.
To release the reference between the security policy and profile, choose the security policy and click Release.

Click Release All, and then click OK, you can release all the references.

In addition, you can manage intrusion prevention in the following aspects:

To insure the validity of the intrusion prevention, please upgrade the intrusion prevention signature database periodically.
Analyze logs periodically and rank and analyze the most frequently detected intrusions. If normal packets are blocked or some intrusion packets are permitted, modify the policies.

Choose Monitor > Log > Threat Log and Monitor > Report > Threat Report to view logs and reports.
If intrusions that are not covered by the IPS signature database have been detected, contact Huawei technical support engineers. Alternatively, extract the features of the intrusion, create a user-defined signature (however, you are not advised to create user-defined signatures unless you understand the attack features), and set the action to block or alert based on the severity of the intrusion.