Intrusion Prevention
Highlighted
Intrusion Prevention

IDP inspection rulebase multiples matches

‎02-04-2019 12:26 AM

Hello community,

I have an issue related to IDP inspection.

I am trying to make an idp rule to inspect a few customized pattern which has to be permitted, and then drop anything else.

I have created a first rulebase which matches correctly and has "no action", and then a second rulebase which denies everything.

The problem is that traffic is beind dropped because of the most severe action.

I have seen some posts and thought I could make a terminal rulebase, but I am facing some issues.

Adding the "terminal" command on the first rulebase, all the traffic is being permitted.

Deleting the "terminal" command, all the traffic is being denied.

 

This is my config:


set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" description "Whitelist: Permitted ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:HEADER-1000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:HEADER-2000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then action recommended
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" terminal

set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" description "Blacklist: Denied ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:RANGE-ANY
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then action drop-packet
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then severity info

 

 

I need some help.

1 REPLY 1
Intrusion Prevention

Re: IDP inspection rulebase multiples matches

[ Edited ]
‎02-04-2019 01:58 AM

The terminal match applied to the rule lookup. In the configuration given here, the rule conditions are same hence turning on will lookup only first rule and turning off will apply both rules here.

Since the "VOIP:IP:RANGE-ANY" attack is matching all the traffic the traffic is dropped when the attack is detected.

Please try setting action as "ignore-connection" for the rule "Whitelist: Permitted ranges" and see if it helps to solve the issue.