Managing user-defined IDS rules

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.

Users with the Senior security officer role can import, configure, replace, and delete user-defined IDS rules, as well as add Kaspersky-defined IDS rules to exclusions from scanning. Users with the Senior security officer or Security auditor roles can use IDS rules to search for signs of targeted attacks, infected and possibly infected objects in the alert database, and to view the IDS rule information.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Importing a user-defined IDS rule

You can import a Snort or Suricata file and use it to scan events and create Intrusion Detection System alerts.

It is highly recommended that you test custom IDS rules in a test environment before you import them. Custom IDS rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

For example, loading user-defined rules can cause the following errors:

• The program may create too many IDS alerts.
• If the program cannot record all IDS alerts in time, some network traffic objects may remain unscanned.
• Regular expressions in user-defined rules may impact performance or cause faulty operation of the program.
• Even formally correct user-defined rules may impact performance or cause faulty operation of the program.

IDs and attributes of custom rules may be modified when they are uploaded. Reject and Drop actions are changed to Alert. Rules with the Pass action are deleted

To import a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Click Import.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

The user-defined IDS rule is imported into the program.

Viewing the information of a user-defined IDS rule

To view the information of a user-defined IDS rule,

In the window of the program web interface, select the Custom rules section, IDS subsection.

The web interface displays the following information about the IDS rule:

• State—Usage status of the rule in event scans.
• File size—Size of the rule file.
• Last update—Time when the rule was imported.
• Created by—Name of the user whose account was used to import the rule.
• Importance—Importance level that is assigned to an alert generated using this IDS rule.

Enabling and disabling the use of an IDS rule when scanning events

To enable or disable an IDS rule when scanning events:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window.
3. Move the State switch to one of the following positions:
   • Enabled
   • Disabled

The use of the IDS rule when scanning events is enabled or disabled.

Users with the Security auditor role cannot enable or disable IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Configuring the importance of alerts generated by the user-defined IDS rule

To configure the importance level that is assigned to alerts generated using the IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this IDS rule.
   • Low.
   • Medium.
   • High.
3. If necessary, use the State switch to enable this IDS rule.

The importance of alerts generated using this IDS rule is configured.

Users with the Security auditor role cannot configure IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Replacing a user-defined IDS rule

You can replace a previously imported Snort or Suricata file and use it to scan events and create Intrusion Detection System alerts.

It is highly recommended that you test custom IDS rules in a test environment before you import them. Custom IDS rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

IDs and attributes of custom rules may be modified when they are uploaded. Reject and Drop actions are changed to Alert. Rules with the Pass action are deleted

To replace a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Below the rule information, click Replace.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

The user-defined IDS rule is imported into the program, replacing the previously imported rule.

Users with the Security auditor role cannot replace user-defined IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Downloading a user-defined IDS rule file to the computer

You can download a previously imported IDS rule file to your computer.

To download a custom IDS rule file to the computer:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Below the rule information, click Download.

The file will be saved to your local computer in the browser's downloads folder.

Deleting a user-defined IDS rule

When working in distributed solution mode, users with the Senior security officer role can delete only a user-defined IDS rule that was imported into the current server. It means that in the PCN web interface, you can only delete a rule that was created on the PCN. In the SCN web interface, you can only delete a rule that was created on the SCN.

To delete a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Click Delete.

   This opens the action confirmation window.

3. Click Yes.

The rule is deleted.

You cannot delete IDS rules defined by Kaspersky. If you do not want to use a Kaspersky IDS rule for scanning, add it to exclusions.

Users with the Security auditor role cannot delete user-defined IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.