Cyberoam IPS Implementation Guide(5)
-
Upload
rahulkumar -
Category
Documents
-
view
223 -
download
0
Transcript of Cyberoam IPS Implementation Guide(5)
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
1/28
Cyberoam IPSImplementation Guide Version 9
Document version 95824-1.0-17/12/2008
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
2/28
Cyberoam IPS Implementation Guide
2
IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented withoutwarranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecoreassumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to makechanges in product design or specifications. Information is subject to change without notice.
USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Pleaseread these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by theterms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Applianceand manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on whichthe Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Softwaresubstantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limitedwarranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecoreand its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of thesoftware if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecorewarrant that the Software is error free, or that the customer will be able to operate the software without problems orinterruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs andCommtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It isspecified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not
occasionally erroneously report a virus in a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electricalcomponents will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's soleobligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardwareneed not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or anypart thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in allmaterial respects to the defective Hardware.
DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, withoutlimitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course ofdealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential,incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability touse the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shallElitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed theprice paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including,without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore orits suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS Copyright 1999-2008 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of ElitecoreTechnologies Ltd.
CORPORATE HEADQUARTERS Elitecore Technologies Ltd.904 Silicon Tower,Off. C.G. Road,Ahmedabad – 380015, INDIAPhone: +91-79-26405600Fax: +91-79-26407640Web site: www.elitecore.com , www.cyberoam.com
http://www.elitecore.com/http://www.cyberoam.com/http://www.cyberoam.com/http://www.elitecore.com/
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
3/28
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
4/28
Cyberoam IPS Implementation Guide
4
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item Convention Example
Server Machine where Cyberoam Software - Server component isinstalled
Client Machine where Cyberoam Software - Client component isinstalled
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold andshaded fonttypefaces
eport
Topic titles Shaded fonttypefaces
Introduction
Subtitles Bold & Blacktypefaces Notation conventions
Navigation link Bold typeface Group Management Groups Createit means, to open the required page click on Groupmanagement then on Groups and finally click Create tab
Name of aparticularparameter /field / commandbutton text
Lowercaseitalic type
Enter policy name, replace policy name with the specificname of a policyOrClick Name to select where Name denotes command buttontext which is to be clicked
Crossreferences
Hyperlink indifferent color
refer to Customizing User database Clicking on the link willopen the particular topic
Notes & pointsto remember
Bold typefacebetween theblack borders
Note
Prerequisites Bold typefaces
between theblack borders
Prerequisite
Prerequisite details
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
5/28
Cyberoam IPS Implementation Guide
5
Contents
Technical Support ............................................................................................................ 3 Typographic Conventions................................................................................................. 4 Notation conventions........................................................................................................ 4
Overview ................................................................................................................ 6 IPS .......................................................................................................................... 6
Cyberoam IPS........................................................................................................ 8 Create IPS Policy ............................................................................................................. 9
Enable/Disable Category................................................................................................ 11 Signature Configuration.................................................................................................. 12 Update IPS policy........................................................................................................... 14 Delete IPS policy............................................................................................................ 15 Search IPS Signature..................................................................................................... 16 Create Custom Signature............................................................................................... 17
Update Custom Signature.............................................................................................. 19
Delete Custom Signature ............................................................................................... 21
Custom Signature syntax ............................................................................................... 22 Monitoring IPS................................................................................................................ 27
Manage IPS.................................................................................................................... 28
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
6/28
Cyberoam IPS Implementation Guide
6
Overview
Welcome to Cyberoam’s – IPS Implementation guide.
Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the
security needs of corporates, government organizations, and educational institutions.
Cyberoam’s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering,Anti Virus, Anti Spam, Intrusion Detection and Prevention (IPS), and VPN.
Cyberoam provides increased LAN security by providing separate port for connecting to thepublicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which arevisible the external world and still have firewall protection.
Cyberoam is a real time intrusion detection and prevention system that protects your network fromknown and unknown attacks by worms and viruses, hackers and other internet risks.
Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks fromreaching your network. Whether it is a worm, a suspicious web request, a hacker targeting yourmail server or any other attack - it simply does not get through.
IPS module is an subscription module, which needs to be subscribed before use.
From version 9.5.8, Cyberoam’s Intrusion Detection & Prevention (IDP) feature has beenrenamed as Cyberoam Intrusion Prevention System (IPS) to better reflect thecomprehensive capabilities of addressing intrusions. The change in name is a step forwardto communicate our robust intrusion prevention capabilities in an industry-standardlanguage.
To reflect the change, Web Admin Console menus, submenus and screens are alsoreplaced with " IPS". Please read “ IDP” as “ IPS” in the screen shots and images included inthe guide.
IPS
An IPS system is a type of security management system that gathers and analyzes informationfrom a network to identify possible security breaches, which include both intrusions - attacks fromoutside the organization and misuse - attacks from within the organization.
IPS detects and/or prevents malicious activity such as denial of service attacks, port-scans or evenattempts to crack into computers by monitoring network traffic.
To detect such activity, IPSs use Signatures. Whenever the matching traffic pattern to Signature isfound, IPS triggers the alarm and blocks the traffic in reaching its destination.
Standard IPS allows defining a global policy that can be applied to source-destinationnetworks/hosts/ports combination. This global policy can be modified or tuned as per therequirement but cannot be tailored per network or per host.
As global policy is a general policy for all, standard IPSs generate high amount of false positivesand this makes it difficult to pinpoint the host generating malicious traffic or vice verse.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
7/28
Cyberoam IPS Implementation Guide
7
Fine tuning global policy means disabling set of signatures for all the networks/hosts. However,this may not be a fit-for-all policy, hence might reduce false positives from one network whileincrease from another and may not even detect certain obvious malicious activity.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
8/28
Cyberoam IPS Implementation Guide
8
Cyberoam IPS
Cyberoam IPS also uses Signatures to identify the malicious activity on the network but instead ofproviding only one policy (global) for managing multiple networks/hosts, allows to tailor the policy
per network/host i.e. allows to defining multiple policies for managing multiple networks/hosts.
Cyberoam IPS consists of a signature engine with a predefined database of signatures. Pre-defined signatures are not editable.
As per your network requirements, Cyberoam allows you to define multiple policies instead of oneglobal policy, to decrease packet latency and reduce false positives.
Policy allows you to view Cyberoam predefined signatures and customize the intrusion preventionconfiguration at the category as well as individual signature level. Categories are signaturesgrouped together based on the application and protocol vulnerabilities.
Each IPS policy contains a set of signatures that the Cyberoam searches for, and log and blockand allows to:
• Enable or disable category from IPS protection
• Enable or disable individual signature in a category to tailor IPS protection based on yournetwork environment
• Define the action to be taken when the matching traffic pattern is found. Cyberoam can eitherdetect or drop the connection. In either of the case, Cyberoam generates the log and alertsthe Network Administrator.
To enable the intrusion detection and prevention functionality, apply the policy using firewall rule.You can create rule to apply
• single policy for all the user/networks
• different policies for different users/networks or hosts
As firewall rules control all traffic passing through the Cyberoam and decides whether to allow ordrop the connection, IPS policy will be applied to only that traffic/packet which firewall passes.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
9/28
Cyberoam IPS Implementation Guide
9
Create IPS Policy
Create and deploy IPS policies to block malicious or suspicious traffic and increase securityproductivity.
Policy allows you to view Cyberoam-IPS signatures and configure the handling of signatures bycategory or on a signature-by-signature basis.
Select IPS Policy Create to open the create IPS policy page
Screen – Create IPS policy
Screen Elements Descript ion
Create IPS policy
Name Specify policy name. Choose a name that best describes the policy
Policy Description Specify full description of the policy
Create button Creates policy. On successful creation of policy, define what actionis to be taken when traffic matches with any of the signatures.
By default, all the categories are enabled but individual signatureswithin the category are set to ‘Detect’ or ‘Drop’ mode.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
10/28
Cyberoam IPS Implementation Guide
10
Refer ‘Enable/Disable Category’ to enable or disable any individualcategory.
Refer ‘Signature Configuration’ to configure individual signaturewithin the category for intrusion prevention and detection.
Cancel button Cancels the current operation and returns to Manage IPS policy
pageTable – Create IPS policy screen elements
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
11/28
Cyberoam IPS Implementation Guide
11
Enable/Disable Category
Select IPS Policy Manage to view the list of policies created
Click the policy for which you want to enable/disable category
Click Edit mark against the Category to enabled/disabled.Green check mark indicates that the Category is enabled
Red Cross indicates that the category is disabled
Screen – Enable/Disable Category
Screen Elements Descript ion
Edit IPS Category
Category Displays Category namePolicy Displays Policy to which the Category will be enabled/disabled
Enabled Select ‘ON’ to include the category for detection and prevention.
Select ‘OFF’ to exclude the category from detection and prevention.Excluding the category is same as not implementing IPS for theparticular category.
Refer ‘Signature Configuration’ to set the IPS mode for individualsignature within the category.
Save button Saves the settings
Cancel button Cancels the current operation and returns to Manage IPS policy page
Table – Enable/Disable Category screen elements
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
12/28
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
13/28
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
14/28
Cyberoam IPS Implementation Guide
14
Update IPS policy
Use to
• Enable/Disable Category
•
Configure Individual Signature
Select IPS Policy Manage and click Policy name to be modified
Screen – Update IPS policy screen
Screen Elements Descript ion
Edit IPS policy
Name Displays policy name
Policy Description Displays full description of the policy, modify if required.Displays list enabled and disabled Categories for the policy
Refer to Enable/Disable Category for details. If the category is disabled,it will not be included in prevention and detection of Intrusions.
Click next to the Category name for which the Signature is to beconfigured. It displays the list of signatures in the Category.
Refer to Configure Signatures to enable/disable and set IPS mode forindividual signature within the category.
Save button Updates and saves policy description
Cancel button Cancels the current operation and returns to Manage IPS policy pageTable – Update IPS policy screen elements
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
15/28
Cyberoam IPS Implementation Guide
15
Delete IPS policy
Select IPS Policy Manage to view list of policies
Screen – Delete IPS policy screen
Screen Elements Descript ion
Del Select policy for deletion
Click Del to select
More than one policy can also be selected
Select All Select all the policies for deletion
Click Select All to select all the policiesDelete button Deletes all the selected policy/policies
Table - Delete IPS policy screen element
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
16/28
Cyberoam IPS Implementation Guide
16
Search IPS Signature
You can search signature database by signature ID or signature name. If policy is not specified inthe search criteria, search result will not display the action that will be taken when matching pattern
is found.
Search result displays:
• Signature ID as defined by Cyberoam
• Signature name and category in which signature is included by Cyberoam
• Whether Signature is enabled for use or not. Because signature is enabled from the IPS policy,Enabled field will be blank if IPS policy is not specified in the search criteria.
• Proposed action by Cyberoam – The proposed action is set by Cyberoam cannot be modified.It is the default action that will be taken by Cyberoam when matching traffic pattern is detected.
• Action – It is the action that is specified in the IPS policy and will be taken by Cyberoam whenmatching traffic pattern is detected. If the proposed action and action specified in the policydiffer then the action specified in the policy is taken i.e. action specified in the policy overridesproposed action. As action is specified in the IPS policy, Action field will be blank if IPS policyis not specified in the search criteria.
Screen – Search Signature
Screen – Search Resul t
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
17/28
Cyberoam IPS Implementation Guide
17
Create Custom Signature
Custom signatures provide the flexibility to customize IPS for diverse network environments.Default signatures included in Cyberoam cover common attacks while custom signatures protectyour network from uncommon attacks that are due to the use of proprietary server, custom
protocol, or specialized applications used in the corporate network.
Create custom signature to define custom IPS signatures for your own network and use to allow orblock specific traffic.
Select IPS Custom Signature Create
Screen – Create Custom Signature
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
18/28
Cyberoam IPS Implementation Guide
18
Screen Elements Descript ion
Custom Signature
Custom SignatureName
Specify signature name. Choose a name that best describes thesignature
Protocol Specify protocol
Custom Rule Specify signature
Signature definition must begin with keyword followed by the valueenclosed between the double quotes and must end with semicolon (;)
Format: Keyword:”value”;E.g. content:”USER JOHN”;If traffic with the content USER JOHN is detected, action defined inthe policy will be taken.
Severity Specify severity level of the signature. Severity levels can be: Severitylevel can be Warning, Minor, Moderate, Major, or Critical
Custom Signature Mode
Custom Signaturemode Select Default Mode. Mode decides what action to take if the patternmatching to the Signature is found.
By default, mode is ‘OFF’ disabled for all the policies.
The default mode selected will be applicable for all the IPS policies.You can override the default mode of the signature for the each IPSpolicy.
Select ‘OFF’ to exclude signature from detection and/or preventionprocess
Drop modeIf any traffic that matches the signature is detected, Cyberoam logsthe details, gives the alert to the Administrator, and automaticallydrops the packets that triggered IPS, resets the connection andprevents the traffic to reach its destination.
Detect modeIf any traffic that matches the signature is detected, Cyberoam logsthe details and gives alert to the Administrator, but does not take anyaction against the traffic and the connection proceeds to its intendeddestination.
Override Policy ModeDisplays complete list of policies
Override Policy mode For each policy, set what action should be taken if traffic matching tothe signature is found
Description
Policy Description Specify full description of the policy
Create button Creates signature. On successful creation of signature, define whataction is to be taken when traffic matches with the signature.
Cancel button Cancels the current operation and returns to Manage IPS policy pageTable – Create Custom Signature screen elements
Note
Custom signatures are an advanced feature that required through Networking knowledge andprevious experience creating intrusion detection signatures.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
19/28
Cyberoam IPS Implementation Guide
19
Update Custom Signature
Select IPS Custom Signature Manage to view list of policies
Screen – Edit Custom Signature
Screen Elements Descript ion
Custom Signature
Custom SignatureName
Displays signature name, modify if required
Protocol Displays protocol for which signature is created, modify if required
Custom Rule Displays signature, modify if required
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
20/28
Cyberoam IPS Implementation Guide
20
Signature definition must begin with keyword followed by the valueenclosed between the double quotes and must end with semicolon(;)
Format: Keyword:”value”;E.g. content:”USER JOHN”;If traffic with the content USER JOHN is detected, action defined in
the policy will be taken.
Refer to Custom Signature Syntax for more details
Severity Displays severity level of the signature, modify if required
Severity levels can be: Severity level can be Warning, Minor,Moderate, Major, or Critical
Custom Signature Mode
Custom Signaturemode
Display Default Mode, modify if required. Mode decides what actionto take if the pattern matching to the Signature is found.
By default, mode is ‘OFF’ disabled for all the policies.
The default mode selected will be applicable for all the IPS policies.You can override the default mode of the signature for the each IPSpolicy.
Select ‘OFF’ to exclude signature from detection and/or preventionprocess
Drop modeIf any traffic that matches the signature is detected, Cyberoam logsthe details, gives the alert to the Administrator, and automaticallydrops the packets that triggered IPS, resets the connection and
prevents the traffic to reach its destination.
Detect modeIf any traffic that matches the signature is detected, Cyberoam logsthe details and gives alert to the Administrator, but does not takeany action against the traffic and the connection proceeds to itsintended destination.
Override Policy ModeDisplays complete list of policies
Override Policy mode For each policy, set what action should be taken if traffic matchingto the signature is found
Description
Policy Description Displays full description of the policy, modify if requiredSave button Saves the modified details
Cancel button Cancels the current operation and returns to Manage IPS policypage
Table – Edit Custom Signature screen elements
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
21/28
Cyberoam IPS Implementation Guide
21
Delete Custom Signature
Select IPS Custom Signature Manage to view list of signatures
Screen – Delete Custom Signature screen elements
Screen Elements Descript ion
Del Select signature for deletion
Click Del to select
More than one signature can also be selected
Select All Select all the signature for deletion
Click Select All to select all the signature
Delete button Deletes all the selected signature(s)Table – Delete Custom Signature screen elements
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
22/28
Cyberoam IPS Implementation Guide
22
Custom Signature syntax
Keyword Value Usage
srcaddr/dstaddr
; The source/destination IP address
srcport/dstport
; The source/destination port
content ""; A string quotedwithin double quotes.
Multiple contents can be specified in one rule.The value can contain mixed text and binarydata. The binary data is generally enclosedwithin the pipe (|) character.
nocase
Can beused with
contentkeywordonly
NULL Ignore case in the content value
rawbytes
Can beused withcontentkeywordonly
NULL Ignore any decoding. Look at the raw packetdata
depth
Can beused withcontentkeywordonly
;e.g. depth:5;
Look for the contents within the specifiednumber of bytes of the payload. If the value of
the depth keyword is smaller than the length ofthe value of the content keyword, this signaturewill never be matched
offset
Can beused withcontentkeywordonly
;
e.g. content:”cgi-bin/phf”;offset:4;depth:20;
Start looking for the contents after the specifiednumber of bytes of the payload. This tag is anabsolute value in the payload. Follow the offsettag with the depth tag to stop looking for amatch after the value specified by the depthtag. If there is no depth specified, continuelooking for a match until the end of the payload.
distance
Can beused withcontentkeywordonly
;
For example
content :"ABC";content:"DEF";distance:1;
Search for the contents the specified number of
bytes relative to the end of the previouslymatched contents. The distance tag could befollowed with the within tag. If there is no valuespecified for the within tag, continue looking fora match until the end of the payload.
within
Can beused withcontentkeywordonly
;
For example
content:"ABC";content:"DEF";within:10;
Look for the contents within the specifiednumber of bytes of the payload. Use with thedistance tag.
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
23/28
Cyberoam IPS Implementation Guide
23
uricontent uricontent:;
For exampleuricontent:"%3F";
Search for the normalized request URI field.Binary data can be defined as the URI value.
isdataat [,relative];
For example
content:"PASS";isdataat:50,relative;
Verify that the payload has data at a specifiedlocation. Optionally look for data relative to theend of the previous content match.
pcre pcre:[!]"(//|m//)[ismxAEGRUB]";
For examplepcre:"/BLAH/i";
The pcre keyword allows rules to be writtenusing perl compatible regular expressions.
i - Case insensitive
s - Include newlines in the dot metacharacter
m - By default, the string is treated as one bigline of characters^ and $ match at the start and end of the string.When m is set, ^ and $ match immediatelyfollowing or immediately before any newline inthe buffer, as well as the very start and veryend of the buffer.
x - Whitespace data characters in the patternare ignored except when escaped or inside acharacter class
A - The pattern must match only at the start ofthe buffer (same as ^ )
E - Set $ to match only at the end of the subjectstring. Without E, $ also matches immediately
before the final character if it is a newline (butnot before any other newlines)
G - Inverts the "greediness" of the quantifiersso that they are not greedy by default, butbecome greedy if followed by "?"
R - Match relative to the end of the last patternmatch (similar to distance:0;)
U Match the decoded URI buffers (similar to theuri keyword)
B Do not use the decoded buffers (similar tothe raw keyword).
byte_test , [!],, [,relative] [,][,, string];
oct,dec,hex used with string only
For examplemsg:"AMD procedure 7 plog overflow";content:"|00 04 93 F3|";content:"|00 0000 07|";distance:4.within:4;byte_test:4,>,1000,2
0,relative;
Test a byte field against a specific value (withoperator). Capable of testing binary values orconverting representative byte strings to theirbinary equivalent and testing them.
bytes_to_convert - The number of bytes to pickup from the packet
operator - The operation to perform to test thevalue (,=,!,&)
value - The value to test the converted valueagainst
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
24/28
Cyberoam IPS Implementation Guide
24
offset - The number of bytes into the payloadto start processing
relative - Use an offset relative to last patternmatch
big - Process the data as big endian (default)
little - Process the data as little endian
string - The data is stored in string format inthe packet
hex - The converted string data is representedin hexadecimal
dec - The converted string data is representedin decimal
oct - The converted string data is representedin octal
byte_jump , [,relative] [,multiplier ][,big][,little][,string] [,hex] [,dec] [,oct][,align] [,from_beginning];
oct,dec,hex used with string only
For examplecontent:"|00 00 0001|";distance:4;within:4;
byte_jump:4,12,relative,align
bytes_to_convert - The number of bytes to pickup from the packet
multiplier value - multiply the number ofcalculated bytes by value and skip forward thatnumber of byte
operator - The operation to perform to test thevalue (,=,!,&)
value - The value to test the converted value
against
offset - The number of bytes into the payloadto start processing
relative - Use an offset relative to last patternmatch
big - Process the data as big endian (default)
little - Process the data as little endian
string - The data is stored in string format inthe packet
hex - The converted string data is representedin hexadecimal
dec - The converted string data is representedin decimal
oct - The converted string data is representedin octal
align – round the number of converted bytesupto the next 32 bit boundary
from_beginning – Skip forward from the
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
25/28
Cyberoam IPS Implementation Guide
25
beginning of the packet payload instead of fromthe current position in the packet
ttl ;>;
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
26/28
Cyberoam IPS Implementation Guide
26
For exampleFlags:SF,12
A - Match the ACK flag
F - Match the FIN flag
R - Match the RST flag
U - Match the URG flag
P - Match the PSH flag
1 - Match Reserved bit 1
2 - Match Reserved bit 2
0 - Match No TCP flags set
+ - Match on the specified bits, plus any others
* - Match if any of the specified bits are set
! - Match if the specified bits are not set
flow to_client|to_server|from_client| from_server ];established;bi_direction;[no_stream|only_stream];
TCP only.
The to_server value is equal to the from_clientvalue.
The to_client value is equal to the from_servervalue.
The bi_direction tag makes the signature matchtraffic for both directions. For example, if you
have a signature with "--dst_port 80", and withbi_direction set, the signature checks trafficfrom and to port 80.
seq ; Check for the specified TCP sequencenumber
ack ; Check for the specified TCPacknowledge number
window ; Check for the specified TCP windowSize
itype [][number]; Specify the ICMP type to match
icode [][number]; Specify the ICMP code to match
icmp_id ; Check for the specified ICMP ID value
icmp_seq ; Check for the specified ICMP sequenceValue
rpc ,[|*],[|*>;
Check for RPC application, version,and procedure numbers in SUNRPCCALL requests. The * wildcard can beused for version and procedurenumbers
ip_proto ;[!];>;
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
27/28
Cyberoam IPS Implementation Guide
27
Monitoring IPS
Once the policies and rules are in place, IPS examines all incoming and outgoing packets, lookingfor matching signatures. All the detected signatures are logged and identified as IPS alerts.
Administrator can view the most recent alerts (if any) from the Dashboard.
Alert displays date and time of intrusion, IP address of source and destination of the intrusion,signature name and the severity of the intrusion.
NoteTo access Dashboard,• press F10 from any of the Cyberoam screens OR• press F2 for Home page and click ‘Dashboard’
Screen – IPS Alerts
-
8/20/2019 Cyberoam IPS Implementation Guide(5)
28/28
Cyberoam IPS Implementation Guide
Manage IPS
Select IPS Manage IPS to open the page to display the status of the IPS engine.
Click Start to start the IPS engine. If you have logged on to the Cyberoam for the first time afterIPS module is registered, the status will be ‘Stopped’ and you will need to start the IPS engine.
Page also displays the version number and release date of IPS engine used along with the updateinformation like date of last attempt for updating IPS engine and whether the update wassuccessful or not.
IPS Engine is updated automatically.
IPS signatures database is updated automatically once in a day.