topic Re: IPS - new signature's action set to default instead of the action specified in rule in General Topics

IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 09 Jun 2014 07:48:45 GMT

Hello.

I have a general IPS profile with a rule (named block-crit,high) which includes all signatures with severity 'critical' and 'high'. Action for the rule is set to 'block'. I have automatic updates on for IPS signatures. Yesterday a new signature (OpenSSL SSL/TLS MITM vulnerability) was released with severity critical. When I checked my IPS profile today i noticed that signature was correctly included in above rule (block-crit,high) but the action for this signature was set to 'default (alert)' despite the action for rule being 'block'.

Is this expected behaviour? Are all new signatures set to default action? Can you set new signatures to block?

Best regards,

Simon Antonic

Re: IPS - new signature's action set to default instead of the action specified in rule

_slv_ — Mon, 09 Jun 2014 11:11:53 GMT

According to my knoweladge this is OK IF your "rules" section of this profiles looks like my:

This is example with Heartbleed because is easy to verify

My thread log have a lot of entries like:

So this is proof that is working.

Regards

SLawek

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 09 Jun 2014 13:37:41 GMT

Thank you for your response.

Yep, action in rule is on 'block'. I just wasn't 'lucky' enough to find an event triggered by this signature in logs to verify how it works.

Still a way to check current response for certain signature would be useful.

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Wed, 01 Oct 2014 08:07:20 GMT

Ok, I've come across the same problem again and still haven't found a solution for it.

How do you check what is the set action for certain signature? I couldn't find a CLI command for it and in GUI when you check 'show all signatures' every signature is listed with the default action and not with the action set by rule.

I believe this is a very important feature and I'd really need a way to check set actions for signatures in certain profile. Waiting for an attempt of exploit which would trigger that signature to happen and checking logs afterwards is not an answer.

Am i gettting a 'contact your SE for feature request' answer next?

Re: IPS - new signature's action set to default instead of the action specified in rule

Jmason — Wed, 01 Oct 2014 14:20:25 GMT

are you using the built in ips profiles?

Re: IPS - new signature's action set to default instead of the action specified in rule

tshiv — Thu, 02 Oct 2014 01:41:01 GMT

Santonic,

The action set in the vulnerability Rules are coherent with the default action set with individual signatures. In the exceptions tab, you just add an exception for an individual vulnerability signature and change the action according

to you requirements saying that exempt the action set in the Rule for this signature.

To see the default action set on a vulnerability signature, open the profile and navigate to exceptions tab. Check the show all signatures option which shows all the signatures with the default action associated with them.

Hope this is helpful and not confusing.........:)

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

gchandrasekaran — Thu, 02 Oct 2014 10:57:29 GMT

Hi Simon,

You are right and that is the expected behavior.

When you create a rule and choose the action for that rule to "block" for the severities "critical and high" and have chosen "Any" in the CVE and Vendor-ID column, then any CVE (even CVE whose default action is alert) will be blocked. The vulnerabilities rules and the corresponding action in that rule (for any CVE/Vendor-ID OR for specified CVE/Vendor-ID) take precedence over the default threat ID actions. Again, the rule must be matched correctly for the corresponding action to take place.

You can change the default action for threat IDs. Click the "Exceptions" tab and then click "Show all signatures". Enter the threat ID in the search bar and click on the action to see the dropdown. Now choose the required action and ensure to check the "Enable" box.

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Thu, 02 Oct 2014 11:53:41 GMT

Yes, I understand how it works (I think). The problem is that you can't see neither in GUI nor in CLI what is the current action for certain signature. Yes, you can see the rules, you can see in which rules the signature is included, and you can figure out what the action is.

But there is no view which would list the signature with the current set action, unless you make it an exception.

I know it's only a view missing and not functionality, but it would be really nice to see signature(s) listed with its current action for certain security profile like all the IPS systems have. I'd be happy already with a CLI command to check response, maybe something like "show policy security-profile 'profile_name' AlertID 'ID_number' " and the output is signature name and set action for that profile.

Re: IPS - new signature's action set to default instead of the action specified in rule

gchandrasekaran — Fri, 03 Oct 2014 10:52:56 GMT

Hi Simon,

As of now, the options to view the default action is by checking "Show all signatures" in the Exceptions tab. You can also use the following CLI commands to view all the threats and their associated default action.

> configure

# show predefined threats ---> displays all the threats. Use forward slash followed by the threat ID to search for a specific threat ID (/36729)

# show predefined threats vulnerability <threatID>

You may find https://threatvault.paloaltonetworks.com/ to also be helpful as it provides more information Click the magnifying icon to view the default action.

You can contact SE to place any feature requests.

Hope this helps.

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 06 Oct 2014 07:40:00 GMT

Yes, seeing the default action is easy.

But seeing the current set action for certain signature (in specified profile) is impossible. You can only see in which rule it is included and then check the action for that rule. But I already had customers asking: "ok, show me that this signature is indeed in blocking mode for this profile".

I'll open a feature request. And hopefully some of the readers here will help me with same requests

Re: IPS - new signature's action set to default instead of the action specified in rule

Retired Member — Mon, 06 Oct 2014 07:53:05 GMT

Please share FR number so that we'll also vote for...

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 06 Oct 2014 08:03:58 GMT

Hmmm, another question.

What happens if signature is included in multiple rules with different set actions? Does it work like security policy, top down and first rule that hits?

Example:

rule that sets all critical signatures to default

rule which sets all signatures which have 'bash remote' to block.

What is the response now for signature ID 36729 which is 'critical' severity, includes words 'bash remote' and default action is alert?

In such case the ability to see signature response would come in handy

Re: IPS - new signature's action set to default instead of the action specified in rule

Retired Member — Mon, 06 Oct 2014 08:07:48 GMT

yes; rules inside profile works from top to bottom.

for the example, it is alert.

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 06 Oct 2014 12:24:32 GMT

Thanx! Good to know.

Re: IPS - new signature's action set to default instead of the action specified in rule

tshiv — Mon, 06 Oct 2014 21:55:54 GMT

santonic

Rules inside vulnerability profile do not get checked from top to bottom. These rules are defined based on criteria's such as host type and severity.

For example: Threat ID 36729 has following criteria's :

Host type : Server

Severity : Critical

thus it matches the rule highlighted below:

In this case, the action will be block for threat signature 36729.

hshah has given a clear idea as to how the profile gets matched. It depends on which security rule the traffic matches and the profile attached to that rule.

Hope this helps.

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

tshiv — Tue, 07 Oct 2014 01:41:25 GMT

santonic

To add to the thread, the rules order in Vulnerability protection profile depends on the action field. For a given signature, the action taken is the most strict action match.

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Tue, 07 Oct 2014 06:43:20 GMT

Yes, I understand how security policy and security profiles work. I was just wondering about rules inside specific security profile in cases when one signature matches more than one rule.

So far I got 2 answers:

- rules inside security profile are matched from top to bottom

- action is set by the most strict rule for given signature

Can someone confirm which is correct?

Re: IPS - new signature's action set to default instead of the action specified in rule

tshiv — Tue, 07 Oct 2014 20:08:36 GMT

santonic

The action is set by the most strict rule for given signature. This was confirmed by the product management team.

Thanks

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Wed, 08 Oct 2014 06:48:53 GMT

Cool, thanx for confirmation!

Re: IPS - new signature's action set to default instead of the action specified in rule

santonic — Mon, 03 Nov 2014 14:11:46 GMT

tshiv

We did some testing and we found out that rule order does matter in IPS profile. So if a signature matches 2 rules, the action will be set by first rule it hits, matching the rules from top to bottom.