How to: MGS/AWG - Inline Intrusion Prevention System
Contents
1.0 Inline Intrusion Prevention System
2.1 Emerging Threats ETOpen Ruleset
1.0 Inline Intrusion Prevention System
The inline IPS system of activeARC® is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and is used to mitigate security threats at wire speed.
The settings page contains the standard options to get your IDPS system up and running.
|
Enabled |
Enable Suricata |
|
IPS mode |
When enabled, the system can drop suspicious packets. In order for this to work, your network card needs to support netmap. The action for a rule needs to be “drop” in order to discard the packet, this can be configured per rule or ruleset (using an input filter) |
|
Promiscuous mode |
Listen to traffic in promiscuous mode. (All packets instead of only the ones addressed to this network interface) |
|
Enable syslog alerts |
Send alerts to syslog, using fast log format |
|
Enable eve syslog output |
Send alerts in eve format to syslog, using log level info. This will not change the alert logging used by the product itself. Drop logs will only be send to the internal logger, due to restrictions in Suricata. |
|
Pattern matcher |
Controls the pattern matcher algorithm. Aho-Corasick is the default. On supported platforms, Hyperscan is the best option. |
|
Interfaces |
Interfaces to protect. When in IPS mode, this need to be real interfaces supporting netmap. (when using VLAN’s, enable IPS on the parent) |
|
Rotate log |
Log rotating frequency, also used for the internal event logging (see Alert tab) |
|
Save logs |
Number of logs to keep |
When using IDPS on a NAT enabled interface, you probably would need to add the WAN address to “Home network” (see advanced options). The advantage of enabling IDPS on a local network interface is that source and destination addresses are as originally requested. (Usually, rules use home network to distinct traffic)
Some less frequently used options are hidden under the “advanced” toggle. ICCN does not endorse any of the below platform and the user is at their risk when using. ICCN's support for the open community is very strong and these tools provide options for our community of users. We are not liable for their statements, performance, or promises.
|
Home networks |
Define custom home networks, when different than an RFC1918 network. In some cases, people tend to enable IDPS on a wan interface behind NAT (Network Address Translation), in which case Suricata would only see translated addresses instead of internal ones. Using this option, you can define which addresses Suricata should consider local. |
|
default packet size |
With this option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance. |
activeARC® includes a very polished solution to block protected sites based on their SSL fingerprint, you can add rules manually in the “User defined tab”.
· ET Pro Telemetry edition
2.1 Emerging Threats ETOpen Ruleset
The ETOpen Ruleset is an excellent anti-malware IDS/IPS ruleset that enables users with cost constraints to significantly enhance their existing network-based malware detection. The ETOpen Ruleset is not a full coverage ruleset, and may not be sufficient for many regulated environments and should not be used as a standalone ruleset.
activeARC® has integrated support for ET Open rules. For details and Guidelines see: http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
For rules documentation: http://doc.emergingthreats.net/
Abuse.ch offer several blacklists for protecting against fraudulent networks. activeARC® has integrated support for:
SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of “bad” SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists.
See for details: https://sslbl.abuse.ch/
Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:
· Version A Hosted on compromised webservers running a nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.
· Version B Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.
· Version C Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo and Emotet.
· Version D Successor of Cridex. This version is also known as Dridex
See for details: https://feodotracker.abuse.ch/
With activeARC® version 18.1.7 we introduced the URLHaus List from abuse.ch which collects compromised sites distributing malware.
See for details: https://urlhaus.abuse.ch/
With activeARC® version 18.1.11 we introduced the app detection ruleset. Since about 80 percent of traffic are web applications these rules are focused on blocking web services and the URLs behind them.
If you want to contribute to the ruleset, please contact us at ‘development@iccnetworking.com'.
Related Articles
Manual - activeARC Cloud Management System
This is the manual for the cloud management systemQuick Start Guide - MGS/AWG Gateway/Firewall
Intended audience This guide is designed to be used by network managers, IT administrators, and technicians who are responsible for installing, networking equipment in enterprise and service provider environments. Knowledge of telecommunication and ...How to: Setting up Monit natively on the MGS/AWG Gateway
MGS/AWG - Monit Package Monit plugin is a Unix system management and proactive monitoring tool. This document will help guide set up the Monit tool on the ICCN AWG gateway. This Monit package is included in the AWG system by default. Monit is a ...How to: MGS/AWG Gateway - Setting up ZeroTier (snmp on a switch)
1. Network diagram (as an example setup) 2. Configuring SNMP on ICCN WX7028-410G Switch Log in as admin to the switch web interface, make sure it is in the same subnet of the local network behind the ICCN AWG Gateway. For instance, if LAN IP of ...How to: MGS/AWG - Port Forwarding
Contents 1.0 Introduction to NAT. 2 1.1 Some terms explained. 2 2.0 Port Forwarding: 3 2.1 Full Network Diagram (as per our setup) 3 2.2 Steps to configure port forwarding settings: 4 2.3 Destination port range and redirect target IP.. 5 2.4 Step To ...