Contents
Managing IDS exclusions
Users with the Senior security officer role can add Kaspersky IDS rules that have resulted in medium or high importance alerts to scan exclusions. Kaspersky Anti Targeted Attack Platform does not create alerts for excluded IDS rules.
You can add to exclusions only IDS rules defined by Kaspersky. If you do not want to apply a user-defined IDS rule when scanning, you can disable this rule or delete it.
Users with the Security auditor role can view the list of IDS rules added to exclusions, and view the properties of a selected rule.
Users with the Security officer role cannot view the list of IDS rules added to exclusions.
Viewing the table of IDS rules added to exclusions
To view the table of IDS rules added to exclusions:
- In the main window of the program web interface, select the Settings section, Exclusions subsection.
- Go to the IDS exclusions tab.
The table of excluded IDS rules is displayed. You can filter the rules by clicking links in column headers.
The table contains the following information:
- Time created—Date and time when the IDS rule was added to exclusions.
- Rule name—Name of the IDS rule.
- Rule ID—ID of the IDS rule. sid (signature ID) in Suricata format.
- Description—Description of the IDS rule.
- Created by—Name of the user whose account was used to add the IDS rule to exclusions.
Adding an IDS rule to exclusions
You can exclude Kaspersky IDS rules with medium or high importance alerts from event scanning.
You can add to exclusions only IDS rules defined by Kaspersky. If you do not want to apply a user-defined IDS rule for event scanning, you can disable that rule or delete it.
To add an IDS rule to exclusions:
- Select the Alerts section in the window of the program web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contains.
- In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
- Click Apply.
- Click
to expand the filter settings list. - Select one or both alert importance levels:
- Medium—Alert has a medium level of importance.
- High—Alert has a high level of importance.
The table displays alerts of medium and/or high importance levels generated by the Intrusion Detection System technology based on IDS rules defined by Kaspersky.
- Select an alert for which the Detected column displays the name of the relevant IDS rule.
This opens a window containing information about the alert.
- In the right part of the window, in the Recommendations section, Qualifying subsection, click Add to exclusions.
This opens the Add IDS rule to exclusions window.
- In the Description field, enter a description for the IDS rule.
- Click Add.
The IDS rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS exclusions in the program web interface. This rule is no longer used for creating alerts.
Users with the Security auditor role cannot modify entries in the list of allowed objects.
Users with the Security officer role do not have access to the list of IDS rules added to exclusions.
Editing the description of an IDS rule added to exclusions
To edit the description of an excluded IDS rule, in the Alerts section:
- Select the Alerts section in the window of the program web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contains.
- In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
- Click Apply.
- Click to expand the filter settings list.
- Select one or both alert importance levels:
- Medium—Alert has a medium level of importance.
- High—Alert has a high level of importance.
The table displays alerts of medium and/or high importance levels generated by the Intrusion Detection System technology based on IDS rules defined by Kaspersky.
- Select an alert for which the Detected column displays the name of the relevant IDS rule.
This opens a window containing information about the alert.
- In the right part of the window, in the Recommendations section, Qualifying subsection, click Edit IDS exclusion.
This opens the Edit IDS exclusion window.
In the Description field, edit the description of the rule.
Click Save.
The description of the excluded IDS rule is changed. This rule is no longer used for creating alerts.
Users with the Security auditor role cannot edit IDS rule descriptions.
Users with the Security officer role do not have access to the list of IDS rules added to exclusions.
Removing an IDS rule from exclusions
You can remove from exclusions a single IDS rule, multiple rules, or all rules at the same time.
To remove an IDS rule from exclusions:
- In the program web interface window, select the Settings → Exclusions section and go to the IDS exclusions tab.
- A list of excluded IDS rules is displayed.
- Select the rule that you want to remove from exclusions.
This opens a window containing information about the rule.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The rule is removed from exclusions. The rule is no longer used for creating alerts.
To remove all or multiple IDS rules from exclusions:
- In the program web interface window, select the Settings → Exclusions section and go to the IDS exclusions tab.
- A list of excluded IDS rules is displayed.
- Select check boxes next to rules that you want to remove from exclusions.
You can select all rules by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected rules are removed from exclusions. The rules are no longer used for creating alerts.
Users with the Security auditor role cannot remove IDS rules from exclusions.
Users with the Security officer role do not have access to the IDS exclusion list.