The Network IDS tab allows configuration of the network intrusion detection system in the Alert Logic® console.
Policies
Protected Hosts
The protected hosts policy allows you to configure how the traffic is sent from the protected host to the Alert Logic threat management appliance. You have the ability to enable encryption of the traffic prior to being transported for analysis.
Assignment
Assignment policies are used for specifying what IDS appliance a protected host sends the traffic to for analysis. More than one appliance can be added to a policy for redundancy.
In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.
For more information, refer to our Assignment Policies help documentation.
Certificates and Keys
The Alert Logic SSL Decryptor extends the advanced intrusion detection capabilities of the intrusion detection system (IDS). The decryptor allows the appliance to inspect the encrypted SSL traffic.
If you use Secure Sockets Layer (SSL) communication, you can upload your SSL certificate and corresponding key. This action allows the SSL decryptor to decrypt traffic for further analysis. They will automatically assign to your IDS appliances after being uploaded.
For more information, refer to our Alert Logic SSL Decryptor help documentation.
Alert Rules
You can create a collection alert rule in the Alert Logic console to be alerted when your agent or appliance stops collecting, stops sending traffic, or when your appliance policy breaks.
|
ALERT TYPE |
DESCRIPTION |
|
TARGET TYPE: AGENT |
|
|
Collection |
Indicates any issue that has interrupted the collection of network traffic, inclusive of all other available alert types. |
|
Error Status |
Reflects an agent health state that requires some triage on behalf of the customer. |
|
Offline Status |
May be expected, but if not, it is a condition for which a user may be alerted. |
|
Assignment |
Indicates a broken assignment policy error, such as an orphaned agent. |
|
TARGET TYPE: APPLIANCE |
|
|
Collection |
Indicates any issue that has interrupted the collection of network traffic, inclusive of all other available alert types. |
|
Too Many IP Addresses Assigned |
Indicates that HOME_NET has run out of room to add more IPs/subnets. |
For more information, refer to our Alert Rule help documentation.
Blocking Configuration
Blocking is a feature used within the IDS to prevent an attacker from accessing a host via a specific port, signature type, or host on a firewall. With IDS blocking, a block is only issued after a threat event has been recognized.
A shun command will be issued to the configured firewall. After the allotted time, Alert Logic threat management will then log back in and issue a no-shun command.
An event-based block is triggered when a particular event is generated. It will be possible for a block to be issued and an incident created for the same traffic.
For more information, visit our Blocking knowledge base article.
Browse Devices
A zone is a set of one or more host groups. Alert Logic creates default zones for your account based on your initial configuration discussions. You can add and modify zones to logically group hosts and apply policies in your environment. You can also use zones to limit the information users can view. Zones restrict the collected data that a user account can view. In IDS, the restricted collected data are events. In log, the restricted collected data are log messages.
A host group is a set of one or more hosts. You identify which zone contains the host group and the importance (criticality) of hosts in that host group. You also specify whether assets in that host group contain financial or medical information.
Comments
0 comments
Please sign in to leave a comment.