< Home

Configuring Intrusion Prevention

You can configure signature filters in an intrusion prevention profile to filter out the signatures containing the same features and set an action for the threats matching these features. You can also add a signature as an exception and configure a different action for the exception signature.

Context

The device has multiple default intrusion prevention profiles for different application scenarios, as shown in Table 1. The default intrusion prevention profiles can be displayed, cloned, or referenced in security policies, but cannot be modified or deleted.

You can run the display profile type ips name name command on the CLI to view the configuration information about the default profile. If you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

Table 1 Default intrusion prevention profiles

Name

Target

Severity

Operating System

Application Program

Protocol

Category

Action

Application Scenario

video_surveillance

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, HTTP, FTP, TELNET, SSH, RTSP, SSL, UDP, TCP

All

Default

The intrusion prevention profile applies when the device is deployed in video surveillance scenarios.

strict

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Block

The intrusion prevention profile applies to the scenarios in which the device is required to block all matched packets.

web_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, HTTP, FTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a web server.

file_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, SMB, NETBIOS, NFS, SUNRPC, MSRPC, FILE, TELNET

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a file server.

dns_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DNS server.

mail_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, IMAP4, SMTP, POP3

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a mail server.

inside_firewall

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

Except TELNET and TFTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall.

dmz

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

Except NETBIOS, NFS, SMB, TELNET and TFTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DMZ.

outside_firewall

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

Except Scanner

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a firewall.

ids

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Alert

The intrusion prevention profile applies to the scenarios in which the device is deployed off-line as an IDS.

default

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in-line as an IPS.

Procedure

  1. Create an IPS profile in the system view.

    profile type ips name name

  2. Optional: Configure a description for the IPS profile.

    description description

  3. Optional: Configure attack evidence collection.

    collect-attack-evidence enable

    • The attack evidence collection function relies on hard disks and available only when the hard disks are installed.

    • Attack evidence collection does not apply to HTTPS traffic.
    • When the TCP proxy function is enabled on a device, the attack evidence collection function is unavailable.
    • When the antivirus full-scan mode is enabled on the device, if the antivirus profile is referenced in the security policy matching FTP traffic, FTP traffic is processed in proxy mode by default. In this case, the intrusion prevention function cannot be used to collect attack evidence for FTP traffic.
    • By default, attack evidence collection has the following restrictions:
      • A maximum of five attack evidence collection sessions are supported for a single signature ID on a single CPU.
      • When the system memory space is less than 200 MB, the device does not collect attack evidence. When the system memory space is restored to 400 MB, the device restores attack evidence collection.
      • A single CPU allows a maximum of 512 MB buffered attack evidence collection data. The maximum data volume of attack evidence that can be cached in a single session is as follows:
        • Versions earlier than V600R007C20SPC500: 100 KB. If the size of the file whose data needs to be collected exceeds 100 KB, the device does not perform attack evidence collection on the session.
        • V600R007C20SPC500 to V600R007C20SPC601 versions: 30 KB. If the size of the file whose data needs to be collected exceeds 30 KB, the device does not perform attack evidence collection on the session.
        • V600R007C20SPC602 and later versions: 10 KB. If the size of the file whose data needs to be collected exceeds 10 KB, the device does not perform attack evidence collection on the session.
    • If the action in the intrusion prevention profile is block, the device collects only the identified threat packets and previous packets. Subsequent packets of the same session are blocked and discarded, and therefore are not collected. If the action in the intrusion prevention profile is not block, the device collects all threat packets of the session for evidence collection.
    • Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.

    One of the extreme conditions is that: The action in the intrusion prevention profile is not block and the device collects the packets that match the intrusion prevention profile. However, the storage space is insufficient after the device collects some threat packets. As a result, the device stops collecting attack evidence.

    Log in to the device using an auditor account, choose Monitor > Log > Threat Log, locate the entry whose Threat Type is Intrusion, click of the entry to view and download the data packets or click to directly download the packets. You can view and download the data package only when you log in to the device using an auditor account.

  4. Create an IPS signature filter.

    signature-set name name

  5. Configure the IPS signature filter.

    Item

    Command

    Add the IPS signatures of a specified detection target to the IPS signature filter.

    target { both | client | server }

    Add the IPS signatures with a specified severity value to the IPS signature filter.

    severity { high | medium | low | information } *

    Add the IPS signatures of a specific operating system to the IPS signature filter.

    os { android | ios | unix-like | windows | other } *

    Add the IPS signatures of a specific protocol to the IPS signature filter.

    protocol { protocol-name &<1-10> | all }

    Add the IPS signatures of a specific category to the IPS signature filter.

    category { category-name &<1-10> | all }

    Configure the application name for the IPS signature filter.

    application { application-name &<1-10> | all }

    Configure an action for the IPS signature filter.

    action { alert | block | default }

  6. Optional: Configure exception signatures in the IPS profile view.

    exception ips-signature-id ips-signature-id [ action { alert | allow | block | { block-source-ip | block-destination-ip } [ timeout timeout ] } ]

    The device supports configuring response actions for exception signatures, including alert, allow, block, and blacklist (directly add the source or destination addresses of traffic that matches exception signatures to a blacklist). In addition, the timeout parameter can be used to configure the timeout period of the blacklist.

  7. Optional: Configure malicious domain name check.

    cnc domain-filter enable [ action { alert | block } ]

    Enable the domain name filtering function.

    The domain name-based filtering function enables the device to filter out packets using the malicious domain name signature database. Upon receiving a packet matching a malicious domain name, the device implements the specified action and logs the threats for auditing and troubleshooting.

    In the system-view, add exception domain names.

    cnc domain-filter exception domain-name domain-name

    If you check logs and find that some detected malicious domain names are false positives, you can configure these domain names as exceptions.

  8. Optional: Configure correlation detection.

    assoc-check enable

    By default, the function is enabled.

  9. Optional: Configure protocol anomaly detection in the IPS profile view.

    Item

    Command

    Detecting whether an HTTP traffic contains the SSH traffic

    http ssh-over-http check action { alert | block }

    Detecting whether an HTTP packet contains multiple Host fields

    http multi-host check action { alert | block }

    Detecting the X-Online-Host field in an HTTP packet

    http x-online-host check { any | blacklist | multiple } action { alert | block }

    http x-online-host blacklist blacklist

    Detecting the X-Forwarded-For field in an HTTP packet

    http x-forwarded-for check { any | whitelist } action { alert | block }

    http x-forwarded-for whitelist ipv4 ip-address

    Detecting whether the protocol format of a DNS packet is abnormal

    dns malformed-packet check action { alert | block }

    Detecting the query of a DNS packet

    dns request-type check { start-type [ to end-type ] action | default-action } { alert | allow | block }

    Detecting whether a DNS domain name contains unexpected characters

    dns domain check action { alert | block }

    Detecting the length of a DNS domain name

    dns domain length check [ max-length max-length ] action { alert | block }

    Detecting the number of DNS session request times

    dns session request-times check [ max-time max-time ] action { alert | block }

  10. Reference the intrusion prevention profile in the security policy.

    For details on how to configure the security policy, see Configuring a Security Policy Using the CLI.

  11. Optional: Configure an IPS global evidence collection rule in the system view.

    ips collect-attack-evidence rule text

    After the IPS global evidence collection rule is configured, the IPS global evidence collection function takes effect. When malicious traffic matches the signature, the device extracts the configured evidence collection fields from the malicious traffic. The evidence collection fields are carried in IPS logs and sent to the log server or displayed in View Threat Log Details of threat logs on the web UI.

    The relationship between IPS global evidence collection and evidence collection based on IPS user-defined signatures is as follows:

    • The two evidence collection functions both collect evidence from malicious traffic that matches the signature.
    • The IPS global evidence collection is configured globally, and evidence collection based on IPS user-defined signatures is customized for a single signature.
    • When the two evidence collection functions are both configured, the fields configured in the user-defined IPS signature are extracted first, and then other fields configured in the IPS global evidence collection rule are extracted. The extracted fields are carried in the extended information of IPS logs. Therefore, you must first run the ips log extend enable command to enable the extended information output function of IPS logs. If this function is disabled, you cannot collect evidence using the two evidence collection functions. The extracted fields based on IPS user-defined signatures will not be extracted repeatedly during the IPS global evidence collection.
    • If a malicious flow contains multiple messages, the two evidence collection functions both collect only the fields in the messages that match the signature. If multiple identical fields to be extracted exist in a message that matches the signature, the two evidence collection functions both extract only the value of the field that appears for the first time in the message.

  12. Optional: Configure IPS threat intelligence linkage in the system view.
    1. Enable IPS threat intelligence linkage.

      threat-intelligence type ip enable

      By default, IPS threat intelligence linkage is disabled.

      After IPS threat intelligence linkage is enabled, if the IPS module detects a threat event and determines that the final processing action is alert, the threat intelligence query module extracts the source IP address of the threat event and sends it to the threat intelligence query server to query the threat event intelligence. After obtaining the threat event intelligence, the device determines whether the threat event risk level and intelligence confidence in the threat intelligence reach the preset linkage triggering threshold. If both reach the threshold, the device changes the processing action of the threat event from alert to block, improves the blocking rate of the IPS service against high-risk threats.

    2. Configure the risk level threshold for triggering IPS threat intelligence linkage.

      threat-intelligence ip-risk-threshold ip-risk-threshold

      By default, the risk level threshold for triggering IPS threat intelligence linkage is 60.

      A larger value indicates a higher risk level.

    3. Configure the confidence threshold for triggering IPS threat intelligence linkage.

      threat-intelligence ip-confidence-threshold ip-confidence-threshold

      By default, the confidence threshold for triggering IPS threat intelligence linkage is 80.

      A larger value indicates more reliable threat intelligence.

    4. Configure the aging time of cached IPS threat intelligence.

      threat-intelligence aging-time aging-time

      By default, the aging time of cached IPS threat intelligence is 2 hours.

  13. Commit the configuration in the system view.

    engine configuration commit

    The created or modified intrusion prevention profile does not take effect immediately. You need to commit the configuration to activate the configuration. To save time, commit the configuration after you complete all operations on the intrusion prevention profile.

Follow-up Procedure

After configuring the IPS profile, adjust it as follows:

  • In the IPS signature filter view, run the rename new-name command to rename the IPS signature filter.
  • In the IPS profile view, run the rename new-name command to rename the profile.
  • In the system view, run the profile type ips copy old-name [ new-name ] command to create a profile by copying an existing one.
Parent Topic: Configuring Intrusion Prevention Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >