DNA: Intrusion Detection / Prevention

Follow

Scope

This article describes the Intrusion Detection / Prevention (IDP) feature for the Datto Networking Appliance (DNA). 

Overview

To access the Intrusion Detection / Prevention card, log into the DNA web interface, and click Security, as shown in Figure 1.

Figure 1: Security

Once on the Security page, click the Intrusion Detection / Prevention link. You will see the Intrusion Detection / Prevention management card shown in Figure 2.

Figure 2: Intrusion Detection / Prevention card

The Intrusion Detection / Prevention (IDP) card allows you to manage the Datto Networking Appliance's Snort Network Intrusion Detection & Prevention deep packet inspection features. The available options are:

Enable: Enables or disables Deep Packet Inspection. When the Enable option is set to Yes, an IDP tab will populate on the Recent Events card of the appliance's GUI, allowing you to view IDP events in real-time.

Response Mode: Allows you to choose between Detect Only and Detect and Prevent.

  • If the Response Mode is set to Detect Only, your appliance will record detected network threats to the IDP log.
  • If the Response Mode is set to Detect and Prevent, your appliance will take action against detected threats, and record the event and action taken to the IDP log.

Logging: Allows you to choose between High-risk and All Events (verbose) IDP logging.

Deep Packet Inspection uses Community Rules. Verbose logging can cause the IDP log to become flooded with events. Setting logging to High-risk disables reporting for the following preprocessor filters.

# stream5: TCP Small Segment Threshold Exceeded
suppress gen_id 129, sig_id 12

# stream5: Reset outside window
suppress gen_id 129, sig_id 15

# stream5: TCP session without 3-way handshake
suppress gen_id 129, sig_id 20

# http_inspect: LONG HEADER
suppress gen_id 119, sig_id 19

# http_inspect: UNKNOWN METHOD
suppress gen_id 119, sig_id 31

# http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

# http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
suppress gen_id 120, sig_id 7

# http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

# stream5: Data sent on stream not accepting data
suppress gen_id 129, sig_id 3

# stream5: TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 4

# stream5: Data sent on stream after TCP Reset
suppress gen_id 129, sig_id 8

# stream5: TCP Timestamp is missing
suppress gen_id 129, sig_id 14

You can learn more about the meaning of each filter by entering its gen_id and sig_id here. Enter search criteria in the format gen_id-sig_id (129-13, as an example).


Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!