Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 7621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Policy setup

Jason Ebersole

Hello,

This question pertains to IPS policy configuration on XG v16. My understanding is, the more signatures called out in the policy, the more RAM it consumes. Therefore, when building policies, as in this example, a policy for Windows IIS web servers, I only pull in the following:

Category = Microsoft IIS web server

Severity = Critical, Major

Platform = Windows

Target = Server

Action  = DROP

Only 4 signatures are in this policy

My questions is, will other signatures that are not getting DROPPED, still show up in the dashboard reporting and get syslogged, or do they NEED to be in the policy to even get DETECTED?

Thanks, Jason



This thread was automatically locked due to age.
Parents
  • 0

    Only signatures that you are using will get dropped and nothing else will get logged. I generally like sorting my signatures like you and try to list critical/major signatures for the platform I am protecting but apply that to clients LAN to WAN access. For IIS, I would probably look at the signatures that are critical/major and also add protection against operating system and malware signatures etc to further protect your assets. Also 4 signatures (really sophos???) doesn't seem much of an IPS[:|]

    Edit: Once they fix the country blocking in v17 MR2 hopefully, use it for your web server business rule. I find country blocking helpful by blocking all the other countries that we don't do business with. If nothing else, it helps a great deal with sorting through logs and keeps average script kiddies away.

Reply
  • 0

    Only signatures that you are using will get dropped and nothing else will get logged. I generally like sorting my signatures like you and try to list critical/major signatures for the platform I am protecting but apply that to clients LAN to WAN access. For IIS, I would probably look at the signatures that are critical/major and also add protection against operating system and malware signatures etc to further protect your assets. Also 4 signatures (really sophos???) doesn't seem much of an IPS[:|]

    Edit: Once they fix the country blocking in v17 MR2 hopefully, use it for your web server business rule. I find country blocking helpful by blocking all the other countries that we don't do business with. If nothing else, it helps a great deal with sorting through logs and keeps average script kiddies away.

Children