Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 6677 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about IPS Policies and their redundancy

Sypher IT

Hi guys, so ... i'm new to the whole XG thing, got it at home for testing so i can do pretty much anything i want on it ...

Question.

To protect clients from common attacks via IPS signature protection, i checked out the rules ...

I proceeded to create a new IPS Policy, cloning it from the default LAN TO WAN policy.

Question is this ... By going through the guide, Sophos states that it's better to create tailored policies and not use all signatures, to avoid delay in packets processing time. All fair.

Then the rule i see in their default is like this: https://i.imgur.com/slBPeZu.png

Last 3 subsets are defined as follows:

Category = All Categories
Severity = All Severity
Platform = Windows
Target = Client

Then

Category = All Categories
Severity = All Severity
Platform = Linux
Target = Client

And finally last one

Category = All Categories
Severity = All Severity
Platform = All Platform
Target = Client

Question is ... Isn't this last rule basically 'catching all' and re-checking signatures that have possibly already been checked? Its not filtered down by os as the previous two rules so ... ? Having this last one, should be considered encompassing the two previous one, or am i missing something?

Thanks in advance guys



This thread was automatically locked due to age.
  • 0

    I did something similar to you and changed the severity to critical. I run all my systems patched and not running any servers so that brings the signature list down quite a bit. Also if you notice, there are many rules where the default action is allow. I don't want IPS chatter if the packet is not blocked.

    Anyway, back to your question, I think the rules are repeated so that if you make a custom template and for example only use linux platform as your template, when an IPS update is released, the rules related to linux will be added to linux platform and all platforms. Similar with windows etc. This is just my guess because otherwise creating a custom template would severely hamper the update process if you didn't choose the right template or changed your template after an update.

    Some guidance from sophos would be nice on how the IPS updates work when custom templates are created.

  • 0 in reply to Billybob

    What do you mean?

    I'm talking about the default IPS policies here, and the question is wether those 3 subrules are redundant or not, which isn't really clear ...

    Full path to see for yourself:

    Protect - Intrusion Prevention - IPS Policies - LAN to WAN

    Here, last 3 ... Last one in my opinion encompasses the previous ones (most of them anyways), and i dont understand if that is so, if there's a reason or its just an error on sophos's part.

  • 0 in reply to Sypher IT

    Sorry for the convoluted answer. Yes some of those sub rules are redundant.

    EDIT: Some rules are subset of others for updating purposes I suppose. IPS doesn't care if you say load rule A 10 times. It will only load it once in the backend. Hope it makes sense.

  • 0 in reply to Billybob

    Don't say sorry, my problem for not understanding.

     

    Got it and got the rationale behind it, i guess you're right! 

     

    Thanks a lot for your input