User Tools

Site Tools


suricata50

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
suricata50 [2018/01/18 18:06]
root
suricata50 [2019/02/13 09:49] (current)
root
Line 1: Line 1:
 ======Attack detector====== ======Attack detector======
  
-The "​Attack detector"​ module is placed in the "​Security"​ menu. This module is designed to enabling, setting up and configuring the open source IPS/IDS system - Suricata that is used in the ICS. The system was designed by Open Information Security Foundation in 2009 year. Intrusion Prevention System (IPS) is a network security system, that can detect security breaches and attacks. IPS is monitoring network traffic in real time and can use different methods to prevent breaches - connection hangout, logging of known signatures and let it pass. IPS can also deframent packages, remixing packages to protect system from packages with altered SEQ and ACK numbers. The Suricata system is multitask, so it is high-load and can manage up to 10Gbit traffic channel at the regular hardware and other, including the Snort rules format. At the main page of the module you can see it's status, the "​Disable"​ button (or "​Enable",​ if it's already disabled) and last log messages.+The "​Attack detector"​ module is placed in the "​Security"​ menu. This module is designed to enabling, setting up and configuring the open source IPS/IDS system - Suricata that is used in the ICS CUBE. The system was designed by Open Information Security Foundation in 2009 year. Intrusion Prevention System (IPS) is a network security system, that can detect security breaches and attacks. IPS is monitoring network traffic in real time and can use different methods to prevent breaches - connection hangout, logging of known signatures and let it pass. IPS can also deframent packages, remixing packages to protect system from packages with altered SEQ and ACK numbers. The Suricata system is multitask, so it is high-load and can manage up to 10Gbit traffic channel at the regular hardware and other, including the Snort rules format. At the main page of the module you can see it's status, the "​Disable"​ button (or "​Enable",​ if it's already disabled) and last log messages.
  
 =====Settings===== =====Settings=====
Line 7: Line 7:
 {{setup_detector.png}} {{setup_detector.png}}
  
-For using the attack detector signature database correctly in this tab you should locate objects (networks, servers and ports) that should be examined. Here you can specify internal and external networks, servers network addresses ranges, and also the ports that are in use. By default, there are values that allow attack detector to launch properly. To change the default configuration you should open the drop-down list in the cell and choose values from the address ranges, that is known to ICS. Or you can type the required value manually in the cell. You can use domain names (like host.ru), ip-addresses (like 192.168.1.1),​ ip-address with prefix (like 192.168.1.1/​24),​ ip-address:​mask (like 192.168.1.1:​255.255.255.0),​ ip-address range (like 192.168.1.1-192.168.1.254),​ user, group, internal, external, VPN, OpenVPN, Wi-Fi networks and other object that ICS can manage in the cells "​networks"​ and "​servers"​. For the "​ports"​ cell port number (like 25, 100), port ranges (like 1000-2000) and object defined into ICS are allowed. You can also use ports excluding, for example, "​!80"​ for the «SHELLCODE-ports» cell. You must add the object "Local networks"​ in the "​External networks"​ field for traffic to be analyzed.+For using the attack detector signature database correctly in this tab you should locate objects (networks, servers and ports) that should be examined. Here you can specify internal and external networks, servers network addresses ranges, and also the ports that are in use. By default, there are values that allow attack detector to launch properly. To change the default configuration you should open the drop-down list in the cell and choose values from the address ranges, that is known to ICS CUBE. Or you can type the required value manually in the cell. You can use domain names (like host.ru), ip-addresses (like 192.168.1.1),​ ip-address with prefix (like 192.168.1.1/​24),​ ip-address:​mask (like 192.168.1.1:​255.255.255.0),​ ip-address range (like 192.168.1.1-192.168.1.254),​ user, group, internal, external, VPN, OpenVPN, Wi-Fi networks and other object that ICS CUBE can manage in the cells "​networks"​ and "​servers"​. For the "​ports"​ cell port number (like 25, 100), port ranges (like 1000-2000) and object defined into ICS CUBE are allowed. You can also use ports excluding, for example, "​!80"​ for the «SHELLCODE-ports» cell. You must add the object "Local networks"​ in the "​External networks"​ field for traffic to be analyzed.
  
  
suricata50.txt · Last modified: 2019/02/13 09:49 by root