EXPERT RESPONSE
You may be familiar with the "top-down" matching approach from the world of firewalls. When a firewall encounters new traffic, it starts at the top of its rule base and checks each rule to see if it matches the traffic. When the firewall finds a match, it performs the specified action and stops checking. Even if traffic matches more than one firewall rule, it will only be affected by the rule base's highest priority rule: the one that is first from the top.
IPS sensors typically use the same methodology: they process intrusion signatures beginning at the top of the list and then perform the action specified in the first matching rule. For this reason, it's important for every organization to sort its IPS signatures so that the most important rules are at the top. That way, when a packet matches multiple signatures, you'll be certain that the highest priority rule dictates the IPS response. Sorting your rules in this manner is a fairly simple process. In fact, the easiest way to approach this problem is to order them by the severity of the response: place all of your "reject" rules at the top of the list, followed by your "alert" rules, followed by your "allow" rules. This will ensure that the strongest applicable response takes priority.
More information:
A reader asks expert Ed Skoudis, "Is an IPS the best way to counter a botnet attack?"
Mike Chapple explains why a move away from host-based intrusion prevent systems does more harm than good.
|
