Advanced Send an e-mail: an e-mail will be sent when this alarm is raised (cf. module E-mail
alerts) with the following conditions:
l Number of alarms before sending : minimum number of alarms required
before an e-mail is sent, during the period defined hereafter.
l During the period of (seconds): period in seconds during which alarms have
been raised, before an e-mail is sent.
Place the machine under quarantine: the packet that caused the alarm will be blocked
with the following parameters. To remove a packet from quarantine, use Stormshield
Network Realtime Monitor.
l for a period of (minutes): duration of the quarantine
Capture the packet that raised the alarm: this capture can be viewed when checking
alarms (Stormshield Network Realtime Manager or Unified Reporter), using a network
sniffer such as Wireshark.
Qos applied to traffic: QoS queues can now be applied to any application traffic that
generates alarms. This option therefore allows assigning a bandwidth restriction or
lower priority to traffic that caused the alarm to be raised.
Next, click on Apply.
For each of the 10 profiles, you can configure them any way you wish by modifying the
parameters described above.
Sensitive alarm
The action Allow on an alarm stops the protocol scan on the traffic. You are therefore strongly
advised to dedicate a filter rule in Firewall mode (or IDS for logs) for traffic affected by the alarm
instead of setting to 'Allow' for this type of alarm.
Example of an HTTP 47 sensitive alarm
Microsoft IIS (Internet Information Server) allows managing the application server by using
Microsoft technologies. The management of web servers offers the encoding of extended
characters using Microsoft’s proprietary "%uXXXX" format. Since this encoding is not a standard,
intrusion detection systems cannot detect attacks that use this method.
When a user attempts to access a site with a URL containing this type of encoded character and
not corresponding to any valid character, the HTTP 47 alarm will be raised – Invalid %u encoding
char in URL. As this alarm is considered sensitive, access to the site will be blocked.
The Allow action applied to an alarm that blocks traffic stops the protocol scan of this connection
(including requests that follow).
In order to maintain protection from this type of attack and simultaneously allow access to this
type of server, it is recommended that you dedicate a filter rule in Firewall mode (or IDS for logs) to
the affected traffic instead of allowing traffic blocked by a sensitive alarm to Allow. As a reminder,
Firewall and IDS modes allow all types of traffic that raise alarms (with detection for IDS mode).
View by context
This view sets out alarms by protocol profiles. The first drop-down list, on the left, allows selecting
the protocol context.
Page 44/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
SNS - USER CONFIGURATION MANUAL V.3
APPLICATIONS AND PROTECTIONS
To Next Page
Loading...
