Understanding IDP IPS Rulebases

The intrusion prevention system (IPS) rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies. Table 44 summarizes the options that you can configure in the IPS-rulebase rules.

Table 44: IPS Rulebase Components

Term

Definition

Match condition

Specify the type of network traffic you want the device to monitor for attacks. For more information about match conditions, see Understanding IDP Rule Match Conditions.

Attack objects/groups

Specify the attacks you want the device to match in the monitored network traffic. Each attack is defined as an attack object, which represents a known pattern of attack. For more information about attack objects, see Understanding IDP Rule Objects.

Terminal flag

Specify a terminal rule. The device stops matching rules for a session when a terminal rule is matched. For more information about terminal rules, see Understanding IDP Terminal Rules .

Action

Specify the action you want the system to take when the monitored traffic matches the attack objects specified in the rules. If an attack triggers multiple rule actions, then the most severe action among those rules is executed. For more information about actions, see Understanding IDP Policy Rules.

IP Action

Enables you to protect the network from future intrusions while permitting legitimate traffic. You can configure one of the following IP action options in the IPS rulebase—notify, drop, or close. For more information about IP actions, see Understanding IDP Policy Rules.

Notification

Defines how information is to be logged when action is performed. You can choose to log an attack, create log records with the attack information, and send information to the log server. For more information, see Understanding IDP Policy Rules.

Related Topics