Skip to main content
Intrusion prevention system
Last update:

Intrusion prevention system

Principle of operation

An IPS, or Intrusion Prevention System, is an optional security system within a firewall. The system is capable of detecting and reporting almost all types of network attacks, as well as blocking detected attacks.

In the Selectel firewall, IPS is implemented as a Snort-based software module. It checks traffic that has already passed firewall filtering. Regularly updated rules from the Snort development community are used to inspect traffic, and you can also add your own rules to detect and block network attacks.

Limitations

IPS on the Selectel firewall does not protect against the following types of attacks:

  • application logic attacks (L7). To protect at this level, use WAF Qrator;
  • any non-network attacks, such as obtaining user super rights.

Cost

You can connect IPS on a Selectel firewall for free. You only have to pay for the firewall, see the article for more details Hardware firewall payment and pricing model.

Connect IPS

  1. Make sure that you ordered a Selectel firewall and accessed the graphical interface.
  2. Configure the IPS module.
  3. Add and configure the network interface.
  4. Customize existing rules.
  5. Optional: create your own rules.
  6. Enable IPS on the interface.

Configure the IPS module

  1. In graphical interface from the main menu, go to ServicesSnort.
  2. Open the tab Global settings.
  3. Select the repositories from which you want to use the rules by checking the checkboxes Click to enable download of ....
  4. Optional: set the settings in the blocks Rules Update Settings and General Settings.
  5. Click Save.
  6. Open the tab Updates.
  7. To download the selected rule repositories, click Update Rules.
  8. Optional: set the settings on the other tabs.

Add and configure a network interface

  1. In graphical interface from the main menu, go to ServicesSnort.

  2. Open the tab Snort Interfaces.

  3. Click + Add.

  4. Select the interface on which you want to enable IPS.

  5. Optional: have the IPS log displayed in the overall firewall log, in the block Alert Settings check the box Send Alerts to System Log.

  6. In the block Block Settings check the box Block Offenders.

  7. Select the lock mode (IPS Mode):

    • Legacy mode — sources of suspicious traffic are blocked, some amount of suspicious traffic may enter the system before it is blocked;
    • Inline mode — suspicious traffic packets are blocked without entering the system.
  8. Optional: specify settings in other blocks on the page.

  9. Click Save.

  10. Optional: to reduce the number of false alarms, click on the tab Variables and specify the IP addresses and ports of your servers.

Customize existing rules

  1. In graphical interface from the main menu, go to ServicesSnort.

  2. Open the tab Snort Interfaces.

  3. In the row of the desired interface, click .

  4. Open the tab Rules.

  5. Check if the rules from the selected categories are enabled. In the block Available Rule Categories select a category, in the column State check/set the required state for the desired rules.

  6. If when configuring the module you have selected the mode Inline modein the column Action change the effect of the rule:

    • DEFAULT — is set to the default action of the rule, usually ALERT;
    • ALERT — to create a log entry;
    • DROP — throw the bag away;
    • REJECT — discard the packet and send a port unavailability message in response.
  7. Click Apply.

Create your own rules

  1. In graphical interface from the main menu, go to ServicesSnort.
  2. Open the tab Snort Interfaces.
  3. In the row of the desired interface, click .
  4. Open the tab Rules.
  5. In the block Available Rule Categories select custom.rules.
  6. In the block Defined Custom Rules enter the text of the rules in Snort format.
  7. Click Save.

Enable IPS on the interface

  1. In graphical interface from the main menu, go to ServicesSnort.

  2. Open the tab Snort Interfaces.

  3. In the row of the desired interface, click . IPS will start working, logs will be displayed:

    • in Snort's general logs (ServicesSnort → tab Alerts);
    • in the interface logs (ServicesSnort in the row of the desired interface → tab Logs).
  4. Optional: To disable IPS on an interface, in the row of the desired interface, press .