Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 24106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Difference between "Action" (IPS policy rules) & "Recommended Action" (IPS signatures)

cyberzeus

There is an action field found in both the IPS policy rules and the signatures that make up those rules.  Both fields have similar options (few more on the Rules side) which, per the Web manual, appear to have identical functions.

What is the difference here?

For example, let's say I have a rule set to Drop the Session but all of the signatures in that rule are set to Allow the Packets - what would happen?

Does one take precedence over the other?  If not, who wins?



This thread was automatically locked due to age.
  • 0 in reply to Billybob

    Ahhh - I see this now...

    So the Recommended Action is just one of many options that can be selected to define how the rule handles matching traffic.  So for example, if I choose "Recommended", then matching packets will be dealt with pursuant to whatever the Recommended Action column says for the matching signature.  Conversely, if I choose another action - such as Drop - the matching traffic will be dropped regardless of what is in the Recommended Action column.

    I misunderstood Recommended Action to be a setting that is configurable by the user when the signatures are added to a given rule - this of course was incorrect.  I know it can be configured for Custom IPS Signatures but not the ones hard-coded into the system. 

    It also makes sense now as to what FloSupport meant when they mentioned the more global aspect of selecting anything other than Recommended Action which tends to be more granular because it handles traffic on a per signature basis.

    As an aside, it might be nice to actually be able to modify the Recommend Action for a given hard-coded signature.

    Thanks everyone for your feedback - much appreciated.

     

    PS: This XG really is a very capable device - liking it more and more as time goes on.

  • 0
    Action
    Select an action to be taken from the available options:
    Available Options:
     Recommended: This action means that you want the OS to handle this alert level according to best-fit recommendations.
     Allow Packet: Allows the packet to its intended destination.
     Drop Packet: Drops packets if it detects any traffic that matches the signature.
     Disable: Disables the signature, if it detects any traffic that matches the signature.
     Drop Session: Drops the entire session if detects any traffic that matches the signature.
     Reset: Resets entire session if detects any traffic that matches the signature.
     Bypass Session: Allows the entire session if detects any traffic that matches the signature
  • 0 in reply to FloSupport

    Hey  

    You would create an IPS policy with a rule configured at the bottom that covers all of the signatures and set with the "recommended" action. You would then configure additional rules on top with the signatures selected that you would like to explicitly allow/deny/drop. A top-down approach would be taken in determining what action to perform on the traffic.

    See my screenshot below:

    3404.pastedimage1511389576100v1.png

    I hope this clarifies your inquiry.

    Regards,

    FloSupport | Community Support Engineer

    What is the benefit of using this strategy? It seems like it would be better to just customize an IPS Policy to only look for and block the desired signatures so the IPS engine is dealing with less signatures overall.

  • 0 in reply to shred

    Hey  

    I would agree with you in regards to your suggestion being the better approach.

    However, some administrators may decide that they don't have the time to perform this task, therefore I wanted to suggest atleast having something in-place.

    Regards,

  • 0 in reply to FloSupport

    Ah, makes sense. Just wanted to make sure I wasn’t setting up my IPS rules incorrectly or misunderstood how the rules/signatures work. ;)

    I’ve noticed my bandwidth performance doesn’t really change anyways with less IPS signatures (I’m assuming it’s because the Sophos IPS runs in inline mode).