Intrusion Detection System

With an intrusion detection system (IDS), you can detect suspicious activities and potential security incidents at an early stage. It helps you to quickly identify unauthorized access or attack patterns so that you can react in a targeted manner and effectively protect your systems.

With the Intrusion Detection System integrated into the Pulsar Agent, you can easily implement a host-based intrusion detection system.

With the export function, you can export both complete views and filtered results directly from the platform. This gives you the flexibility to save and process exactly the data that is relevant for your analyses or reports.

Attacks

Enginsight supports the detection of the following attacks:

SYN-Flooding
ARP-Spoofing
Ping of Death
Ping-DDoS
Blacklist IP Database
DNS-Spoofing
Port Scan
- TCP
- UDP
Bruteforce
- SSH
- MySQL
- MongoDB
- HTTP Basic Authentication
- FTP
- RDP
- RPC
- VNC
- SMB
Cross Site Scripting
HTTP Request Corruption
HTTP Response Splitting
HTTP Request Smuggling
Remote Code Execution
Path Traversal
SQL Injection
SSL/TLS Cipher Enumeration
SSL/TLS Protocol Scan
Bot-Activities

In addition, Enginsight supports the detection of attacks described in the SNORT Community Rules. These are also more specific attacks (e.g. attacks on Microsoft IIS or Exange servers, attempts to access sensitive data on a web server or CGI attacks).

Configure IDS

To make optimum use of the IDS on your servers and clients with Pulsar Agent installed, you only need to make two settings.

Activate network recording

Activate the network interface on all hosts on which the IDS is to be active. You can either do this in the settings of the individual host or you can use the policies.

Categorize your hosts with tags for risk level and performance reserves, for example, and then create the corresponding policies.

Determine IDS level

Attack detection and blocking can be controlled either via the autopilot or directly in the host settings. This enables precise adaptation of the security measures to individual requirements and criticality levels.

In Autopilot, you can define the criticality level at which attacks are automatically blocked for certain hosts or host groups. It is necessary to activate the Override recommendations function so that the autopilot can actively enforce this setting.

Alternatively, the configuration can also be made individually for each host in the host settings.

Setting the attack detection level

Attack detection is based on different security levels that determine which attacks are recognized and blocked:

Level 0 – Very high threshold Maximum availability, only a few threats are blocked.
Level 1 – Availability over security Focus on availability, only the most important threats are blocked.
Level 2 – Balanced availability and security (Recommended) Ideal balance between safety and device stability.
Level 3 – Security over availability Blocking of even rare attacks, with possible restrictions in availability.
Level 4 – Maximum protection Highest security level, but with frequent availability problems - only suitable for special applications.

Dashboard

The dashboard provides you with an overview of your IDS's most important findings. See at a glance what the threat landscape looks like for you.

Network anomalies

A list of all detected network anomalies awaits you here. Use the free text search to search for specific entries and use the view function to define a period of observation. Click on the filter next to an entry to access all entries relating to the reference.

You will also find the option to treat the risk or actively block it after each entry.

Block

You can block attacks directly from the view. To do this, click on the Block button next to an entry. In the window that now opens, you will see all the information; adjust this if necessary, for example, if the set of rules should also apply to other hosts. Confirm your selection by adding the manual set of rules.

Whitelist

Whitelists ensure that trustworthy activities, IP addresses or applications are not falsely recognized as threats. This reduces the number of false alarms and allows you to focus on real security risks. This allows you to optimize your security processes and save valuable time when analysing alerts.

Add whitelist

Click on the corresponding button in the overview to add a new whitelist entry.

Steps to Add a Whitelist

Enter a brief description.
In the CIDR field, provide the IP address to be whitelisted along with the appropriate network prefix.
Specify the particular attack to be whitelisted for the IP, or use * to whitelist the IP for all attacks.
Further, enter a regex to define specific patterns in the payloads of network packets that should be considered safe and not flagged as threats.

If a value is entered in the Advanced filter field, the whitelist only applies to attacks that also have a payload, i.e. not to attacks such as port scans or brute forces. If you want to whitelist several or all attacks including those without a payload, leave the Extended filter field empty.

Define associated references by assigning hosts and/or linking your configuration with tags.
Finally, save your changes by clicking the corresponding button.

World map

Under the menu item World map you will find a live view of the events recorded by the IDS. Keep an up-to-date overview of all attacks and use the view to find information about attacks on your IT and your own defenses.

If you click on the icon next to an active attack from the view, you have the option of creating a manual set of rules from the view and blocking it. You can follow the result on the map almost in real time.

Click on the globe to exit autorotate mode. You can also zoom in and out of the view by scrolling the mouse wheel.

PreviousCompliance NextFile Integrity Monitoring

Last updated 1 month ago

Was this helpful?