The “Attack detector” module is located in “Security” menu. This module is designed to enable, set up and configure the open source Intrusion Prevention System (IPS) - Suricata that is used in ICS CUBE.
IPS is a network security system, that can detect security breaches and attacks. IPS monitors network traffic in real time and can use different methods to prevent breaches: connection termination, logging of known signatures and letting healthy connections trough. IPS can also defragment packets, rearrange packet sequences to protect system from packages with altered SEQ and ACK numbers.
The Suricata system is multitasking, so it capable of high-load and can manage up to 10 Gbit traffic channel at the regular hardware and do other tasks, including interpretation of the Snort rule format.
The module has five tabs: “Attacks detector Suricata”, “Settings”, “Rules”, “Updating settings” and “Log”.
On the “Attacks detector Suricata” tab you can see status of this service and the “Disable” button (or “Enable”, if the module is disabled) and last log messages.
This tab is designed to configure the attack detector Suricata module. To use the attack detector signature database correctly in this tab you should specify such objects as: networks, servers and ports that should be monitored. Here you can specify internal and external networks, server network address ranges, and also ports in use. By default, there are values that allow attack detector to launch properly.
To change the default configuration you should open the drop-down list in the cell you want to modify and choose values from the address ranges, that are known to ICS CUBE. Or you can type the required value manually in the cell.
For the “networks” and “servers” cells, the following values are valid: domain name (like host.com), IP-address (like 192.168.1.1), IP-address with prefix (like 192.168.1.1/24), IP-address:mask (like 192.168.1.1:255.255.255.0), IP-address range (like 192.168.1.1-192.168.1.254), user, group, internal, external, VPN, OpenVPN, Wi-Fi networks and other object that ICS CUBE can manage.
For the “ports” cell the following values are valid: port number (like 25, 100), port ranges (like 1000-2000) and objects defined in ICS CUBE are allowed. You can also exclude ports, for example, “!80” for the «SHELLCODE ports» cell.
You must add the object “Local area networks” in the “External nets” field for traffic analyzing.
On this tab you can see available database for attack detector module. There are three rule databases: the “Rules from snort.org” source, the “Positive Technologies Open Ruleset (Attack Detection)” and the “Emerging Threats Rules”.
Each base contains set of downloadable files, and each file contains set of rules, grouped according to the security target. For a ruleset to work, it is necessary that the base has been downloaded (you can read about this in the “Updating settings”), if the base hasn't been downloaded, next to each file you will see the “was not downloaded” text.
If the base has been downloaded, you can choose either to use all of the base entirely, selecting the “Apply” checkbox. Or, if you want to apply a specific file, or exclude a specific file, you can mark the file with “Apply” checkbox. Next to each file you can see the amount of rules that it contains.
In the right top corner you can see search line - it works both with names and amount of rules in a file. To look through the rules and to choose an action you should click on the filename, and new window with a table will be opened.
The table contains following tabs:
This tab is used to configure the process of updating module rules.
There are 2 companies that are active developing attack prevention systems - Sourcefire and Emerging Threats.
To download base “Rules from snort.org” you should:
You can download rules using this code only. Pay attention to the difference between the privileges of the regular signed up user from the one who subscribed to updates.
After successful downloading of the rules, it will displays in the “Rules” tab without “was not downloaded” text.
For downloading the “Emerging Threats Rules” database you need to check the box “Install Emerging Threats” and press “Save” button.
For downloading the “Positive Technologies Open Ruleset (Attack Detection)” database you need to check the box “Positive Technologies Open Ruleset (Attack Detection)” and press “Save” button.
Also on this tab you can see the “Daily check for rules update” checkbox which is active by default.
After everything is set, you can press the “Update now” button.
The “Log” tab displays a summary of all system messages of the corresponding servers with the date and time. The log is divided into pages, using the “forward” and “back” buttons it is possible to go from page to page, or enter the number of the desired page.
Log entries are highlighted in color depending on the type of message. Normal system messages are marked in white, system status messages (on / off, user connection) are green, warnings are yellow, errors are red.
In the upper right corner of the log is a search bar. And the ability to select the period for displaying the event log. By default, the log displays events for the current date. If necessary, you can save the log data to a file by clicking the “Export” button or delete the log data for a certain period by clicking the “Delete logs” button.