Intrusion Detection System
With an intrusion detection system (IDS), you can detect suspicious activities and potential security incidents at an early stage. It helps you to quickly identify unauthorized access or attack patterns so that you can react in a targeted manner and effectively protect your systems.
With the Intrusion Detection System integrated into the Pulsar Agent, you can easily implement a host-based intrusion detection system.
Attacks
Enginsight supports the detection of the following attacks:
SYN-Flooding
ARP-Spoofing
Ping of Death
Ping-DDoS
Blacklist IP Database
DNS-Spoofing
Port Scan
TCP
UDP
Bruteforce
SSH
MySQL
MongoDB
HTTP Basic Authentication
FTP
RDP
RPC
VNC
SMB
Cross Site Scripting
HTTP Request Corruption
HTTP Response Splitting
HTTP Request Smuggling
Remote Code Execution
Path Traversal
SQL Injection
SSL/TLS Cipher Enumeration
SSL/TLS Protocol Scan
Bot-Activities
In addition, Enginsight supports the detection of attacks described in the SNORT Community Rules. These are also more specific attacks (e.g. attacks on Microsoft IIS or Exange servers, attempts to access sensitive data on a web server or CGI attacks).
Configure IDS
To make optimum use of the IDS on your servers and clients with Pulsar Agent installed, you only need to make two settings.
Activate network recording
Activate the network interface on all hosts on which the IDS is to be active. You can either do this in the settings of the individual host or you can use the policies.
Determine IDS level
Attack detection and blocking can be controlled either via the autopilot or directly in the host settings. This enables precise adaptation of the security measures to individual requirements and criticality levels.
In Autopilot, you can define the criticality level at which attacks are automatically blocked for certain hosts or host groups. It is necessary to activate the Override recommendations function so that the autopilot can actively enforce this setting.
Alternatively, the configuration can also be made individually for each host in the host settings.
Setting the attack detection level
Attack detection is based on different security levels that determine which attacks are recognized and blocked:
Level 0 – Very high threshold Maximum availability, only a few threats are blocked.
Level 1 – Availability over security Focus on availability, only the most important threats are blocked.
Level 2 – Balanced availability and security (Recommended) Ideal balance between safety and device stability.
Level 3 – Security over availability Blocking of even rare attacks, with possible restrictions in availability.
Level 4 – Maximum protection Highest security level, but with frequent availability problems - only suitable for special applications.
Dashboard
The dashboard provides you with an overview of your IDS's most important findings. See at a glance what the threat landscape looks like for you.
Network anomalies
A list of all detected network anomalies awaits you here. Use the free text search to search for specific entries and use the view function to define a period of observation. Click on the filter next to an entry to access all entries relating to the reference.
You will also find the option to treat the risk or actively block it after each entry.
Block
You can block attacks directly from the view. To do this, click on the Block button next to an entry. In the window that now opens, you will see all the information; adjust this if necessary, for example, if the set of rules should also apply to other hosts. Confirm your selection by adding the manual set of rules.
Whitelist
Whitelists ensure that trustworthy activities, IP addresses or applications are not falsely recognized as threats. This reduces the number of false alarms and allows you to focus on real security risks. This allows you to optimize your security processes and save valuable time when analysing alerts.
Add whitelist
Click on the corresponding button in the overview to add a new whitelist entry.
Steps to Add a Whitelist
Enter a brief description.
In the CIDR field, provide the IP address to be whitelisted along with the appropriate network prefix.
Specify the particular attack to be whitelisted for the IP, or use
*
to whitelist the IP for all attacks.Further, enter a regex to define specific patterns in the payloads of network packets that should be considered safe and not flagged as threats.
Define associated references by assigning hosts and/or linking your configuration with tags.
Finally, save your changes by clicking the corresponding button.
World map
Under the menu item World map you will find a live view of the events recorded by the IDS. Keep an up-to-date overview of all attacks and use the view to find information about attacks on your IT and your own defenses.
If you click on the icon next to an active attack from the view, you have the option of creating a manual set of rules from the view and blocking it. You can follow the result on the map almost in real time.
Click on the globe to exit autorotate mode. You can also zoom in and out of the view by scrolling the mouse wheel.
Last updated
Was this helpful?