manualshive.com logo in svg

Solida systems SL-1000, User Manual

The Solida systems SL-1000 offers outstanding performance and convenience, revolutionizing your user experience. Enhance your understanding of this remarkable product by downloading the comprehensive user manual, absolutely "free". Find this invaluable resource exclusively at manualshive.com, ensuring effortless access to all the information you need.

Share
Download
background image

 

 

 

 

 

19 

©

 SOLIDA SYSTEMS INTERNATIONAL 

2016 

6. Intrusion Detection and Prevention Rules 

 

6.1 Rule Overview 

 

To protect against intrusion attacks, Solida appliances rely on a rule engine that can perform deep 

packet inspection (DPI) of Ethernet packets, flowing through the appliance. The DPI engine can 

inspect all packets and look for signatures and any combination of data patterns, such as port 

scans, OS finger printing and vulnerability scans. 

 

The DPI engine is controlled by detection rules. These rules instruct the DPI engine what to look 

for in the packets and what action to take if a pattern match is detected.  

 

Solida provides a set of system rules that includes protection from many types of penetration 

attempts. An expert user can also create custom rules. Writing custom rules requires detailed 
knowledge of rule writing, and the different types of packets flowing over a network. Such custom 

rules can be created using the rule editor in the Solida configuration application. In most cases it is 

recommended to use the system rules provided by Solida through the threat feed. 

 

6.2 Rule List 

 

Detection rules can be created and edited trough the configuration application. Start the 

application and navigate to “Rule List”. This will show a list over all available rules in the appliance. 

 

 

 

 

Summary of Contents for SL-1000

Page 1: ...USER MANUAL Version 1 0 January 2017 WWW SOLIDASYSTEMS COM SL 1000 Security Appliance ...

Page 2: ...Email Addr 12 4 4 6 Event Notification Emails 12 4 4 REPUTATION THREAT LIST UPDATES 13 4 4 1 About Tor Exit Nodes 14 4 5 SET MOBILE APPLICATION PASSWORD 14 4 5 SETTING THE TIME ZONE 15 5 REPUTATION BASED DETECTION 16 5 1 OVERVIEW 16 5 2 DGA LIST 16 5 3 LIST UPDATES 17 6 INTRUSION DETECTION AND PREVENTION RULES 19 6 1 RULE OVERVIEW 19 6 2 RULE LIST 19 6 3 RULE SETS 20 6 4 ACTIVATING A RULE SET 20 6...

Page 3: ... 10 2 DOWNLOADING A SUPPORT BUNDLE 28 11 DATA LOGGING 30 11 1 PACKET LOGGING 30 11 2 DROPPED PACKET LOGGING 30 11 3 EVENT LOGGING 30 11 4 HTTP LOGGING 31 11 5 DOWNLOADING LOG FILES 31 11 8 DELETING LOG FILES 32 12 REMOTE MONITORING 33 12 1 SOLIDA MULTI INTRODUCTION 33 12 2 SETTING UP REMOTE MONITORING 33 ...

Page 4: ...rm of a data feed hosted in the cloud This threat feed is updated hourly and includes malicious URLs domain names and IP addresses These are harvested from various international threat intelligence sources The threat feed includes information about current threats such as ransomware phishing sites trojans and many other threat categories 1 2 Intrusion Detection and Prevention Intrusion detection a...

Page 5: ...the SL 1000 The management port is marked MGNT The default factory configuration for the high speed Ethernet ports is Port 0 WAN WAN side Internet connected router Port 1 LAN1 LAN side LAN side network switch Port 2 LAN2 MGNT Configuration and monitoring Port 3 LAN3 Unused The default factory settings can be changed through the web configuration utility that is accessed through a browser over the ...

Page 6: ...c The SL 1000 appliance operates in stealth mode It does not require any IP addresses for its ports other than for the MGNT management port Figure 2 2 Typical Installation For larger networks it might be necessary to protect multiple sections of the network with dedicated security appliances For those installations make sure that the WAN port is connected upwards towards the Internet router side C...

Page 7: ...page will appear in the browser window Enter the supplied user name and password to log in Some networks might use another IP address range other than 192 168 x x for example 10 32 x x If this is the case it will be required to change the management ports IP address before the appliance is connected to the LAN side switch To change the default IP address direct connect a computer with the applianc...

Page 8: ...applications Creating and managing the user credentials is done through the configuration application First navigate to the Configuration page and then locate the box named Manage Users To create a new user press the button named Add User and enter the new credentials in the indicated fields Figure 3 2 Add new user box The drop down menu at the top of the Add New User window contains two options M...

Page 9: ...to keep the factory default setting Figure 4 1 Ethernet Port Configuration Operating Mode The only supported operation mode is Single LAN WAN ports Port 0 usage Selects if port 0 should be facing the Internet side or the LAN side Port 1 usage Selects if port 0 should be facing the Internet side or the LAN side 4 2 Appliance Name An appliance should be given a name The name can be used as an identi...

Page 10: ...ts Only under very special circumstances should the factory default be changed Changing the factory default will prohibit the appliance from detecting all possible malwares and other threats To change the factory default setting start the configuration utility and navigate to Configuration Locate the block titled Deep Packet Inspection Configuration It will look as shown in the picture below Figur...

Page 11: ... support for sending regular emails containing information about the number of events in the system and their severity This is a useful feature since it will not be required to constantly monitor the appliance through the monitoring application 4 4 1 Setting Up Email Notification To set up email notification login to the configuration application and navigate to Admin Configuration Locate the box ...

Page 12: ...nt Email Addr This text box shows the current email address in use assuming this feature is enabled This address will be the recipient for the event status emails 4 4 5 New Email Addr Enter a valid email address into this box This is the new address that will be used to receive these emails Once the above fields have been filled in press the Activate button This will activate the new configuration...

Page 13: ...he factory default is to allow for all these lists to be included in the cloud updates Changing this factory default should only be done in very special cases Disabling a list results in the possibility of malicious packets being able to penetrate the network and cause escalating damage To change the factory default setting start the configuration utility and navigate to Configuration Locate the b...

Page 14: ...s would be in countries that censor their citizens Internet traffic In those circumstances the Tor network can be used to circumvent such censorship Then it is recommended to disable the inclusion of Tor endpoints in the IP blacklist 4 5 Set Mobile Application Password The appliance can be monitored with a mobile phone application This application requires a password to log into the cloud server t...

Page 15: ...etting The Time Zone The appliance use time stamps for various events Therefore it is required to set the time zone which the appliance is operating in Figure 4 7 Setting the time zone Select the desired time zone and press the Activate button ...

Page 16: ...eputation lists might not yet have registered this 5 2 DGA List The most important data in the threat feed is the list of Domain Generation Algorithm DGA generated domain names Many ramsomware and other serious malware use DGAs to generate a large number of domain names These domain names are used to try and connect with their command and control servers C2 The large number of auto generated domai...

Page 17: ...iance automatically connects with this cloud service once every hour to download new updated versions of the lists This guarantees that the appliance always contains information about the latest threats seen in the wild To monitor the list update process and the list sizes start the configuration application and navigate to Threat Intelligence Threat Lists A similar page is available at the same l...

Page 18: ...ion Entries The number of domain names in this list IP Reputation Entries The number of IP addresses both IPv4 and IPv6 in this list TOR endpoints The number of Tor endpoints provided this list is included The above threat lists are not user modifiable ...

Page 19: ... the packets and what action to take if a pattern match is detected Solida provides a set of system rules that includes protection from many types of penetration attempts An expert user can also create custom rules Writing custom rules requires detailed knowledge of rule writing and the different types of packets flowing over a network Such custom rules can be created using the rule editor in the ...

Page 20: ...ppliance will start its packet scanning using all the rules included in the rule set To display and create rule sets start the configuration utility and navigate to Rule Sets This will show a list over all available rule sets Figure 6 2 Rule set list in the GUI configuration utility 6 4 Activating a Rule Set To activate a rule set select the rule set by clicking on its row in the GUI Then click th...

Page 21: ... 6 6 Creating Custom Rules It is beyond this manual to explain in detail how to write custom rules Please refer to the many tutorials and documentation available on the Internet on how to write detection rules A rule is created using the configuration application Start the application and navigate to the Rule List page This page will display a list of all rules currently available in the appliance...

Page 22: ... a unique rule id that identifies the rule The rule id consists of 9 numbers It is common practice to group rules into categories As an example the first thee numbers identifies the general type of rule For example UDP rules TCP rules ICMP rules The next three digits identify the type of threat the rule concerns The last three digits could be a general identifier that is incremented by one for eac...

Page 23: ...Events are stored in a database in the appliance to allow for tracking and statistics gathering Events are also written to log files that can easily be downloaded from the appliance through the GUI These event files can then be correlated with other down loadable packet log files so that a security analyst can investigate the root cause of the event Events can be monitored using the built in monit...

Page 24: ...les of such events are DNS queries generated by a ransomware DGA engine or malwares trying to connect with a C2 server All network packets resulting in critical events will be automatically dropped to mitigate further infection to the network The event includes the source and destination IP addresses of the offending packets Which allows for prompt identification of the infected computer on the ne...

Page 25: ...mportant to remove the infected computer from the rest of the network Some advanced ransomwares are capable of propagate through the network and infect additional computers The critical events will be listed with the source and destination IP addresses visible Use the destination IP address from the event and match that with a computer in the LAN that uses this IP address This is the computer that...

Page 26: ... update start the configuration application and navigate to Software Updates in the menu side bar This will present the following window Figure 9 1 Software update GUI window The upper System Control Center box contains the following Firmware version Displays the currently active internal firmware version number JSOSD version Displays the version of the current security OS daemon The button named ...

Page 27: ...w version Please note it will take as long as 5 minutes for a software update to complete During this time no network traffic will be able to flow through the appliance After the update has completed please reset the browser history to guarantee the browser will display the latest version of the web utilities ...

Page 28: ...n the appliance experiencing a problem Navigate to Software Updates This will display a window that contains a blue button with the text Generate Support Bundle Pressing this button and answering Yes in the confirmation box will start generating a support bundle Note that it might take up to 5 minutes or more for the bundle generation to complete 10 2 Downloading a Support Bundle Once a support bu...

Page 29: ...29 SOLIDA SYSTEMS INTERNATIONAL 2016 available support bundles that are ready to be downloaded Please note it will take up to 5 minutes for a new support bundle to appear in this directory ...

Page 30: ...e resulting log files can become very large so it is important to select an appropriate rollover option to avoid filling up the disk space in the appliance Packet logging should be disabled during normal usage 11 2 Dropped Packet Logging This option will log all network packets that are dropped by the appliance Packets will be dropped by the rule engine as well as by the reputation detection engin...

Page 31: ... Figure 11 2 HTTP logging configuration window 11 5 Downloading Log Files Log files can be downloaded using either the configuration application or the monitoring application To download a log file navigate to the Log File Management menu option This will open up a file management interface as shown in the picture below Figure 11 3 Log file management window ...

Page 32: ...og file directory To delete a file within the directory right click on the file and select Delete The file will be permanently deleted from the appliance It is also possible to rename a log file Right click on the file to rename it Even though possible never delete a log file directory Please note that some log files become very large The appliance has limited space for log files Therefore always ...

Page 33: ... Multi all security related events will be pushed up to the reporting server Log files including the system log file will also be pushed up to allow the user to download these files remotely 12 2 Setting Up Remote Monitoring Enabling remote monitoring in an appliance is a simple operation The below picture shows the configuration window and its options Figure 12 1 Remote monitoring configuration S...

Page 34: ...MS INTERNATIONAL CO LTD 1000 19 20 Liberty Plaza Building Floor 12A Thonglor Sukhumvit Soi 55 Klongtan Nua Wattana Bangkok Thailand 10110 Tel 66 2 714 8900 Email info solidasystems com Website www solidasystems com ...

Reviews:

No comments

Related manuals for SL-1000

JBL CS1500 Brochure preview
CS1500
Brand: JBL Pages: 4
Panasonic WJ-NV200 Product Catalog preview
WJ-NV200
Brand: Panasonic Pages: 124
Garmin FUSION Apollo MS-WB670 Owner'S Manual preview
FUSION Apollo MS-WB670
Brand: Garmin Pages: 44
Laars NEOTHERM NTH User Information preview
NEOTHERM NTH
Brand: Laars Pages: 14
NA-DE 10951 Quick Start Manual preview
10951
Brand: NA-DE Pages: 2
NA-DE 10901 Instruction Manual preview
10901
Brand: NA-DE Pages: 5
NA-DE 10901 Manual preview
10901
Brand: NA-DE Pages: 5
NA-DE 01051 Instruction Manual preview
01051
Brand: NA-DE Pages: 2
TDSi DIGIgarde PLUS Quick Start Manual preview
DIGIgarde PLUS
Brand: TDSi Pages: 2
Tecnosystemi Toolsplit TSCE-500 User Manual preview
Toolsplit TSCE-500
Brand: Tecnosystemi Pages: 8
ACS A1214 Expert Operation Manual preview
A1214 Expert
Brand: ACS Pages: 64
Iqinvision IQeye Sentinel Series Installation And Operating Instructions Manual preview
IQeye Sentinel Series
Brand: Iqinvision Pages: 15
TEUFELBERGER treeMOTION S.light USCA Instructions For Use Manual preview
treeMOTION S.light USCA
Brand: TEUFELBERGER Pages: 152
Uniden UDVR45x4 User Manual preview
UDVR45x4
Brand: Uniden Pages: 16
Vivotek PZ7131 Quick Installation Manual preview
PZ7131
Brand: Vivotek Pages: 12
EAW CB423M Technical Specifications preview
CB423M
Brand: EAW Pages: 2
Black BLK-CCD203VS User Manual preview
BLK-CCD203VS
Brand: Black Pages: 24
Soca ST-660 Operation And Installation Manual preview
ST-660
Brand: Soca Pages: 19

Brands by name

Popular brands

Load more brands