IPS protocol parsing question \ feature request

Hi,

We are new to astaro.
My company is currently evaluating the product and we consider being a reseller of astaro to local customers.
There is one key feature that we are missing (didn't test the latest beta yet).

In the IPS feature - is it possible to parse textual protocols (like telnet) and to create a specific rule that will search for a string in the data stream (like username in the telnet session) ?

For that rule we want to be able to save the session in a text log file.

I guess either astaro R&D or product manager should answer this.

Thanks in advance.
aners

Parents

0 Stephan_Scholz over 21 years ago

Hi aners,

yes, you can create such a rule. Basically any rule can be added to the ruleset by using the "Local rules" feature. You can also get an automatic alert on the rule.
For performance reasons, the packet that caused the alert is not stored on ASL though.

Regards,
Stephan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 aners over 21 years ago in reply to Stephan_Scholz

Thanks stephan,

I really need your help here.
How do you use the local rule feature ?
Can i download some documentation on the IPS feature ?
thanks
aner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Stephan_Scholz over 21 years ago in reply to aners

To add a new rule, go to "Intrusion Prevention->Rules" and select "New rule".
Enter the following fields there:

Description: any description that helps you recognize the rule afterwards
Selector: the IP address and port properties of the rule in Snort syntax (protocol, source IP, source port, "->", destination IP, destination port)
Filter: the actual content recognition in Snort syntax

Example:
Description: Telnet test rule
Selector: tcp any any -> any 23
Filter: content:"Username";

After clicking on "Add local rule", the new rule can be found in the "local" group and used in the same way as any other rule.

For more information on Snort syntax, take a look at http://www.snort.org
More information on the ASL IPS can be found in the on-line help.

Stephan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 aners over 21 years ago in reply to Stephan_Scholz

Thanks stephan !

I managed to add the rule.
2 more questions (if you have time to answer) :
1. how do i see /modify the local rules i just added ?
2. Where can i view the alerts?

aner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 aners over 21 years ago in reply to Stephan_Scholz

Thanks stephan !

I managed to add the rule.
2 more questions (if you have time to answer) :
1. how do i see /modify the local rules i just added ?
2. Where can i view the alerts?

aner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Stephan_Scholz over 21 years ago in reply to aners

Hi aners,

you can find the newly added rule in the "local" group. Currently it is not possible to re-edit it though.
Alerting is enabled in the "Notification Levels" section. Depending on whether you made your rule a drop or alert rule, you need to enable notifications for "Detected" or "Dropped". Make sure that your e-mail notification address is entered in "System->Settings->Administrator contact".

Stephan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel