Kaspersky Anti Targeted Attack Platform

Managing IDS exclusions

Users with the Senior security officer role can add Kaspersky IDS rules to scan exclusions. Kaspersky Anti Targeted Attack Platform does not create detections when scanning by excluded IDS rules.

You can add to exclusions only IDS rules defined by Kaspersky. If you do not want to apply a user-defined IDS rule when scanning, you can disable this rule or delete it.

If you want to configure a singular exclusion, for example, for a specific source address, you can:

  1. Open information about the IDS detection for which you want to create a singular exception.
  2. Copy the IDS detection data in Suricata format and save it in any way that you find convenient.
  3. Add the Kaspersky IDS rule that generated the detection to exclusions from scanning.
  4. Add a new rule based on the properties of the excluded Kaspersky rule to the list of user-defined IDS rules in one of the following ways:
    • If the system already has user-defined IDS rules, export a file with the rules and add a new rule to this file with conditions that narrow down the rule using the Suricata syntax. An example of creating user-defined IDS rules is shown below.
    • If no user-defined IDS rules exist in the system yet, create a text file and add to it a rule with qualifying conditions using the Suricata syntax. An example of creating user-defined IDS rules is shown below.
  5. Import a file with the added rule.

We do not recommend using the above method of creating singular exclusions on a regular basis because a large number of user-defined IDS rules can get out of control and reduce the level of protection of the corporate LAN. We strongly recommended monitoring the results of the created exclusions. We also strongly recommended testing the user-defined rules in a test environment before importing. User-defined IDS rules may cause performance issues, in which case stable operation of Kaspersky Anti Targeted Attack Platform is not guaranteed.

Users with the Security auditor role can view the list of IDS rules added to exclusions, and view the properties of a selected rule.

Users with the Security officer role cannot view the list of IDS rules added to exclusions.

Examples of creating user-defined IDS rules based on the properties of an excluded Kaspersky rule

If you do not want one or more of the source and/or destination addresses to be included in the IDS detection, you can use the ! (NOT) operator.

Example:

For an IDS detection with data:

  • header: alert ip any any -> any any.
  • flow: established.
  • content: example.
  • sid: 10000000.

You can create the following user-defined IDS rules with singular exclusions:

  • alert ip !10.10.0.22 any -> any any (msg:"Example"; flow:established; content:"example"; sid:1000001;)

    This rule triggers for all sources except IP address 10.10.0.22 if a connection is established (flow:established) and if the payload contains the string "example".

  • alert ip ![10.10.0.22,10.10.0.23] any -> any any (msg:"Example"; flow:established; content:"example"; sid:1000002;)

    This rule triggers for all sources except IP addresses 10.10.0.22 and 10.10.0.23 if a connection is established (flow:established) and if the payload contains the string "example".

  • alert ip any any -> ![10.10.0.22,10.10.0.23] any (msg:"Example"; flow:established; content:"example"; sid:1000003;)

    This rule triggers for all destinations except IP addresses 10.10.0.22 and 10.10.0.23 if a connection is established (flow:established) and if the payload contains the string "example".

  • alert ip any any -> ![10.10.0.22,10.10.0.23] ![8080,8085] (msg:"Example"; flow:established; content:"example"; sid:1000004;)

    This rule triggers for all destinations except IP addresses 10.10.0.22 and 10.10.0.23 with specific ports if a connection is established (flow:established) and if the payload contains the string "example".

  • alert ip ![10.10.0.22,10.10.0.23] ![8080,8085] -> ![10.80.0.1,10.80.0.2,10.80.0.3] ![8080,8085,8090] (msg:"Example"; flow:established; content:"example"; sid:1000005;)

    This rule triggers if the source and destination IP addresses are not on the excluded list (including ports), if a connection is established (flow:established) and the payload contains the string "example".

  • alert ip ![10.10.0.22/24,10.10.0.23/16] any -> any any (msg:"Example"; flow:established; content:"example"; sid:1000006;)

    This rule triggers for all sources except subnets 10.10.0.22/24 and 10.10.0.23/16 with specific ports if a connection is established (flow:established) and if the payload contains the string "example".

  • alert ip ![10.10.0.22/24,10.10.0.23/16] any -> ![10.80.0.1/12,10.80.0.2/8] ![8080,8085] (msg:"Example"; flow:established; content:"example"; sid:1000007;)

    This rule triggers if the source and destination subnets are not excluded, the destination port is not 8080 or 8085, a connection is established (flow:established), and the payload contains the string "example".

Page top
[Topic 247774]

Viewing the table of IDS rules added to exclusions

To view the table of IDS rules added to exclusions:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Go to the IDS tab.

The table of excluded IDS rules is displayed. You can filter the rules by clicking links in column headers.

The table contains the following information:

  • Time created—Date and time when the IDS rule was added to exclusions.
  • Rule name—Name of the IDS rule.
  • Rule ID—ID of the IDS rule. sid (signature ID) in Suricata format.
  • Description—Description of the IDS rule.
  • Created by—Name of the user whose account was used to add the IDS rule to exclusions.

See also

Adding an IDS rule to exclusions

Editing the description of an IDS rule added to exclusions

Removing an IDS rule from exclusions

Page top
[Topic 197094]

Adding an IDS rule to exclusions

You can exclude Kaspersky IDS rules with medium or high importance alerts from event scanning.

You can add to exclusions only IDS rules defined by Kaspersky. If you do not want to apply a user-defined IDS rule for event scanning, you can disable that rule or delete it.

To add an IDS rule to exclusions:

  1. Select the Alerts section in the window of the application web interface.

    This opens the table of alerts.

  2. Click the link in the Technologies column to open the filter configuration window.
  3. In the drop-down list on the left, select Contain.
  4. In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
  5. Click Apply.
  6. If you want to filter detections, click Apt_icon_Importance_new to expand the list of filtering parameters and select the required filter.
  7. Select an alert for which the Detected column displays the name of the relevant IDS rule.

    This opens a window containing information about the alert.

  8. In the right part of the window, in the Recommendations section, Qualifying subsection, click Add to exclusions.

    This opens the Add IDS rule to exclusions window.

  9. In the Description field, enter a description for the IDS rule.
  10. Click Add.

The IDS rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS tab in the application web interface. This rule is no longer used for creating alerts.

Users with the Security auditor role cannot modify entries in the list of allowed objects.

Users with the Security officer role do not have access to the list of IDS rules added to exclusions.

See also

Viewing the table of IDS rules added to exclusions

Editing the description of an IDS rule added to exclusions

Removing an IDS rule from exclusions

Page top
[Topic 247776]

Editing the description of an IDS rule added to exclusions

To edit the description of an excluded IDS rule, in the Alerts section:

  1. Select the Alerts section in the window of the application web interface.

    This opens the table of alerts.

  2. Click the link in the Technologies column to open the filter configuration window.
  3. In the drop-down list on the left, select Contain.
  4. In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
  5. Click Apply.
  6. If you want to filter detections, click Apt_icon_Importance_new to expand the list of filtering parameters and select the required filter.
  7. Select an alert for which the Detected column displays the name of the relevant IDS rule.

    This opens a window containing information about the alert.

  8. In the right part of the window, in the Recommendations section, Qualifying subsection, click Edit IDS exclusion.

    This opens the Edit IDS exclusion window.

    In the Description field, edit the description of the rule.

    Click Save.

The description of the excluded IDS rule is changed. This rule is no longer used for creating alerts.

Users with the Security auditor role cannot edit IDS rule descriptions.

Users with the Security officer role do not have access to the list of IDS rules added to exclusions.

See also

Viewing the table of IDS rules added to exclusions

Adding an IDS rule to exclusions

Removing an IDS rule from exclusions

Page top
[Topic 247777]

Removing an IDS rule from exclusions

You can remove from exclusions a single IDS rule, multiple rules, or all rules at the same time.

To remove an IDS rule from exclusions:

  1. In the program web interface window, select the SettingsExclusions section and go to the IDS tab.
  2. A list of excluded IDS rules is displayed.
  3. Select the rule that you want to remove from exclusions.

    This opens a window containing information about the rule.

  4. Click Delete.

    This opens the action confirmation window.

  5. Click Yes.

The rule is removed from exclusions. The rule is no longer used for creating alerts.

To remove all or multiple IDS rules from exclusions:

  1. In the program web interface window, select the SettingsExclusions section and go to the IDS tab.
  2. A list of excluded IDS rules is displayed.
  3. Select check boxes next to rules that you want to remove from exclusions.

    You can select all rules by selecting the check box in the row containing the headers of columns.

  4. In the pane that appears in the lower part of the window, click Delete.

    This opens the action confirmation window.

  5. Click Yes.

The selected rules are removed from exclusions. The rules are no longer used for creating alerts.

Users with the Security auditor role cannot remove IDS rules from exclusions.

Users with the Security officer role do not have access to the IDS exclusion list.

See also

Viewing the table of IDS rules added to exclusions

Adding an IDS rule to exclusions

Editing the description of an IDS rule added to exclusions

Page top
[Topic 247778]