Intrusion Detection rules

An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.

Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.

You can use the following types of rule sets:

• System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
• User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.

The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.

Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.

Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.

When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.

When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:

• 4000003000 for an event involving a rule from the system rule set being triggered
• 4000003001 for an event involving a rule from a user-defined rule set being triggered

User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop and reject actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.

The values ​​of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values ​​in the intrusion detection rules (see the table below).

Correspondence between rule priorities and event scores

Priority values in intrusion detection rules	Kaspersky Anti Targeted Attack Platform event scores
4 or more	2.5
3	4.5
2	6.5
1	9

Page top