Managing user-defined Intrusion Detection rules

To detect intrusions in network traffic, you can use Intrusion Detection rules and additional Intrusion Detection methods that use built-in algorithms. When indicators of attacks are detected in traffic, Kaspersky Anti Targeted Attack Platform registers Intrusion Detection technology events.

A valid KATA or KATA + NDR license key is required to manage user-defined Intrusion Detection rules.

An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.

Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.

You can use the following types of rule sets:

• System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
• User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.

  User-defined Intrusion Detection rule sets are displayed in the Custom rules → Intrusion detection section.

The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.

Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.

Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.

When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.

When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:

• 4000003000 for an event involving a rule from the system rule set being triggered
• 4000003001 for an event involving a rule from a user-defined rule set being triggered

User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop and reject actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.

The values ​​of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values ​​in the intrusion detection rules (see the table below).

Correspondence between rule priorities and event scores

You can configure the settings for registering Intrusion Detection events under Settings → Event types.

You can view Intrusion Detection events in the table of registered events.

Users with the Senior security officer role can upload, enable, and disable user-defined Intrusion Detection rule sets. Users with the Security auditor role can view user-defined detection rule sets. Users with the Security officer role do not have access to user-defined intrusion detection rules.

Intrusion Detection rules

An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.

Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.

You can use the following types of rule sets:

• System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
• User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.

The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.

Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.

Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.

When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.

When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:

• 4000003000 for an event involving a rule from the system rule set being triggered
• 4000003001 for an event involving a rule from a user-defined rule set being triggered

User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop and reject actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.

The values ​​of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values ​​in the intrusion detection rules (see the table below).

Correspondence between rule priorities and event scores

Page top

Additional Intrusion Detection methods

To detect intrusions, you can use the following additional methods:

• Detection of signs of falsified addresses in ARP packets (ARP spoofing).

  If ARP spoofing detection is enabled, Kaspersky Anti Targeted Attack Platform checks the addresses specified in ARP packets and detects indicators of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is indicated by fake ARP messages being found in the traffic.

  When indicators of ARP spoofing are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:

  • 4000004001 for an event involving the detection of multiple ARP responses that are not associated with ARP requests
  • 4000004002 for an event involving the detection of multiple ARP requests from the same MAC address to different recipients.
• TCP Protocol Anomaly Detection.

  If TCP Protocol Anomaly Detection is enabled, Kaspersky Anti Targeted Attack Platform scans TCP segments of the data stream in supported application layer protocols.

  When Kaspersky Anti Targeted Attack Platform detects packets containing overlapping TCP segments with different content, it registers an Intrusion Detection technology event. Events are registered with system event type code 4000002701.

• IP Protocol Anomaly Detection.

  If IP protocol anomaly detection is enabled, Kaspersky Anti Targeted Attack Platform scans fragmented IP packets.

  When IP packet assembly errors are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:

  • 4000005100 for an event involving the detection of a data conflict during IP packet assembly (IP fragment overlapped)
  • 4000005101 for an event involving the detection of an IP packet exceeding the maximum allowed size (IP fragment overrun)
  • 4000005102 for an event involving the detection of an IP packet with the initial fragment smaller than expected (IP fragment too small)
  • 4000005103 for an event involving the detection of mis-association of fragments of an IP packet (mis-associated fragments)
• Brute-force Attack and Scan Detection.

  When Brute-force Attack and Scan Detection is enabled, Kaspersky Anti Targeted Attack Platform examines network activity statistics to detect indicators of brute force attacks, denial of service attacks, scanning, network service spoofing, and other anomalies.

  This method uses built-in rules. When the rules are triggered, the application registers an Intrusion Detection technology event. Events are registered with system event type code 4000003002.

You can enable or disable methods. Additional Intrusion Detection methods can be applied regardless of whether Intrusion Detection rules exist or are enabled. Additional detection methods use built-in algorithms.

Enabling and disabling sets of Intrusion Detection rules

Intrusion Detection rule sets can be Enabled or Disabled. If a rule set is disabled, none of the rules in that rule set are used for intrusion detection.

When you enable or disable selected rule sets, the Intrusion Detection system is restarted on all computers that have application components (Central Node and Sensor) installed. A restart is necessary to apply the changes.

Only users with the Senior security officer role can change the status of Intrusion Detection rule sets.

To change the status of Intrusion Detection rule sets:

1. In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
2. Select the check boxes next to the rule sets whose status you want to change.
3. Right-click to open the context menu.
4. In the context menu, select one of the following commands:
   • Enable if you want to enable all disabled sets of rules from among the selected rule sets.
   • Disable if you want to disable all enabled sets of rules from among the selected rule sets.
   • Change the statuses of selected rule sets if you want to invert the statuses of all selected rule sets. This option allows you to quickly enable and disable selected rule sets with different statuses on all computers with installed application components: to apply the changes, you only need one restart of the Intrusion Detection system on these computers.
5. In the confirmation window, click OK.

The statuses of the intrusion detection rule sets are changed.

Loading and replacing user-defined sets of Intrusion Detection rules

You can upload Intrusion Detection rule sets from files into the application. To be uploaded to the application, files with Intrusion Detection rule descriptions must be located in the same folder and have the .rules extension. File names may not contain the following characters: \ / : * ? , " < > |

Intrusion Detection rules uploaded from a file are saved in the application as a user-defined rule set. The name of the rule set is the same as the name of the file from which the rule set was uploaded.

When rule sets are uploaded from files, current user-defined rule sets are deleted from the table and replaced with new rule sets.

Only users with the Senior security officer role can upload user-defined Intrusion Detection rule sets.

To upload and replace user-defined Intrusion Detection rule sets:

1. In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
2. In the toolbar, click the Replace all user-defined rules button.
3. In the confirmation window, click OK.

   This opens the file upload window.

4. Select the folder that contains the files that you need and click the button to upload files from this folder.

   The rule set table displays new user-defined rule sets. All rule sets without errors are enabled.

5. Check the uploaded rule sets for errors.

   Information about the detected errors is displayed in the Rules column. The OK status is displayed if there are no errors. If the rule set contains errors, you can view detailed information about them by clicking Details.

6. If necessary, enable or disable the rule sets (including the rule sets that have the Errors in some rules status).

User-defined Intrusion Detection rule sets are uploaded.

Removing user-defined sets of Intrusion Detection rules

You can delete all user-defined Intrusion Detection rule sets that were uploaded into the application from files. Selecting which user-defined rule sets to delete is not possible. If you want to use only some of the current rule sets in the application, you can copy the files with these sets to a separate folder and replace all user-defined rule sets with rule sets from this folder.

Only users with the Senior security officer role can delete user-defined Intrusion Detection rule sets.

To delete user-defined Intrusion Detection rule sets:

1. In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
2. In the toolbar, click the Delete all user-defined rules button.
3. In the confirmation window, click OK.

   This opens a window for selecting the folder with Intrusion Detection rule files.

All user-defined Intrusion Detection rule sets are deleted from the table.