This article describes the Intrusion Detection / Prevention (IDP) feature of the Datto Networking Appliance (DNA).
- Datto Networking Appliance (DNA)
Once on the Applications page, click the Intrusion Detection / Prevention link. You will see the Intrusion Detection / Prevention management card shown in Figure 2.
The Intrusion Detection / Prevention (IDP) card allows you to manage the Datto Networking Appliance's Snort Network Intrusion Detection & Prevention deep packet inspection features. The available options are:
Enables or disables Deep Packet Inspection. If you set the Enable option to Yes, an IDP tab will populate on the Recent Events card of the appliance's GUI, allowing you to view IDP events in real-time.
Response Mode lets you choose between the following options: Detect Only and Detect and Prevent.
- Detect Only: Your appliance will record detected network threats to the IDP log.
- Detect and Prevent: Your appliance will take action against detected threats, and record the event and action taken to the IDP log.
This setting lets you choose between High-risk and All Events (verbose) IDP logging.
Deep Packet Inspection uses Community Rules. Verbose logging can cause the IDP log to become flooded with events. Setting logging to High-risk disables reporting for the following preprocessor filters.
# stream5: TCP Small Segment Threshold Exceeded suppress gen_id 129, sig_id 12 # stream5: Reset outside window suppress gen_id 129, sig_id 15 # stream5: TCP session without 3-way handshake suppress gen_id 129, sig_id 20 # http_inspect: LONG HEADER suppress gen_id 119, sig_id 19 # http_inspect: UNKNOWN METHOD suppress gen_id 119, sig_id 31 # http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 # http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS suppress gen_id 120, sig_id 7 # http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 # stream5: Data sent on stream not accepting data suppress gen_id 129, sig_id 3 # stream5: TCP Timestamp is outside of PAWS window suppress gen_id 129, sig_id 4 # stream5: Data sent on stream after TCP Reset suppress gen_id 129, sig_id 8 # stream5: TCP Timestamp is missing suppress gen_id 129, sig_id 14
You can learn more about the meaning of each filter by entering its gen_id and sig_id in the Snort rule doc search (external link). Enter search criteria in the format gen_id-sig_id (129-13, as an example).
This setting lets you choose how the DNA prioritizes IDP:
- Prioritize security over throughput: Select this option to set IDP for packet inspection. In this mode, the DNA will inspect the individual packets that comprise network traffic. This can slow network performance.
- Balance throughput with security: Select this option to set IDP for flow inspection. In this setting, once a traffic flow session between a source IP address and port pair and a destination IP address and port pair is marked safe, the device stops applying inspection rules to the flow. This option is less resource-intensive.