More control over IDP

Post your thoughts and suggestions here!
Post Reply
SECOIT GmbH
Posts: 32
Joined: 13 Feb 2018, 16:20
Contact:

More control over IDP

Post by SECOIT GmbH » 29 Aug 2018, 11:00

Hi Clavister team,

It would be great to add a little more control over the IDP feature.
Currently it's kind of a "all or nothing" setup, which means it's very difficult to have control over individual rules since it's mainly controlled via siganture groups.

One example with HTTPS.
Reading through signature descriptions I enabled the following groups for HTTPS:
IPS_BOT_*
IPS_BROWSER_*
IPS_SSL_*
IPS_TCP_*
IPS_WEB_*
IPS_TROJAN_*
IPS_WORM_*
IPS_HTTP_*
IPS_MALWARE_*

Doing so reduces the maximum throuput for HTTPS traffic to roughly 35 MBit/s as the CPU reaches 100 % on a W20. Basically even most home DSL connections around here are 50 MBit/s or faster so activating those signature rules will significantly reduce throughput in most cases.

Reading through several IDP rules I see easily 75% of the signature IDs (my guess) should be already patched in most environments and therefore won't cause any harm so they won't need to be evaluated for each data packet.
So it would be great if there was an easy way to exclude signatures (maybe take a look at the GUI of the SNORT package of some popular Open Source firewall distribution that uses pf on FreeBSD ;) ).
This would hopefully significantly improve performance by easily excluding unneeded signatures (35 MBit/s on a W20 is simply far too slow in my opinion) and also it could make it a lot easier to exclude false positives (also here take a look at the package I mentioned above where you can simply click on the logs of an IPS alert and exclude it).

Also the documentation requires some improvement in my opinion.
In general I absolutely love Clavister's documentation because it is not only very detailed, it also gives many helpful examples to make the admins life easier.
But with IDP it lacks a lot important information (unless I missed it) like how to exclude single signatures (learned it via the forum) or information on what the rule categories actually do (some - not all - have a short sentence in the manual trying to explain what they are for but in my opinion the explanation is far too short to actually understand what the rules are doing).

Or maybe (task for Peter 8-) ) add an IDP cook book.

Thanks,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: More control over IDP

Post by Peter » 30 Aug 2018, 08:49

Hello Michael.

Thank you for your post, this is excellent feedback. You have very good points and suggestions on enhancements. I agree with you that IDP really needs some usability enhancements to make it more easy to use without hogging to much resources and/or that you risk scanning traffic with signatures that cannot trigger in the first place.

I will go through our currently reported enhancement requests and see what we currently have and then compile them in a list and complement with additional RFE's if i feel something is missing.

I will update this thread with some details such as project ID's when i am done. Please note however that RFE's are suggestions, it will still be up to product management and the architects to decide on what feature/function we should focus on.

Best regards
/Peter

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: More control over IDP

Post by Peter » 30 Aug 2018, 16:16

Hello.

Based on your feedback i found several RFE projects for a couple of things that could make IDP more useful. I also came up with two more which i created + added to the below list.

COP-5711 - IDP: Guides for popular servers
COP-5813 - IDP setup wizard
COP-8725 - WebUI: When selecting Signatures, should see number of signatures in group
COP-9749 - WebUI: Add the advisory information to each IDP signature
COP-21320 - Improve GUI when it comes to selecting individual IDP signatures to ignore/exclude
COP-21321 - Give example in the admin guide on how individual IDP signatures can be used in the input field.

Best regards
/Peter

SECOIT GmbH
Posts: 32
Joined: 13 Feb 2018, 16:20
Contact:

Re: More control over IDP

Post by SECOIT GmbH » 06 Sep 2018, 21:53

Hi Peter,

Many thanks for consolidating and adding the new requests. I appreciate the time and effort you put into this.

Best Regards,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: More control over IDP

Post by Peter » 07 Sep 2018, 08:04

This one has been implemented already by our technical writer:
COP-21321 - Give example in the admin guide on how individual IDP signatures can be used in the input field.
The new updated text in the admin guide will be part of future versions/documentation (probably 12.00.11 and onward).

/Peter

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: More control over IDP

Post by Peter » 12 Sep 2018, 07:29

Short update: The documentation regarding IDP will be as i mentioned earlier be updated in 12.00.11, but it will also be further updated in 12.00.12 as in that version a lot of the admin guide have been re-written to have more focus on using IP Policy's instead of IP rules.

/Peter

Post Reply