When the IPS rule does not seem to be working as expected, there are basic checks that may be performed to ensure that everything is in order.
Follow these steps:
- Make sure the Intrusion Prevention module has been enabled on the affected system.
- Perform some tests to ensure the Intrusion Prevention module is functioning properly. You can follow either Test Intrusion Prevention on the Deep Security Help Center or KB 1098449 Testing the Deep Security modules.
- Make sure you have configured the appropriate policies at this policy or specific computer level, detection/prevention action of this rule. (See Policies, inheritance, and overrides, Configure intrusion prevention rules).
- Implement best practices for specific rules.
- Restrict Download of EICAR Test File Over HTTP
The rule 1005924 - Restrict Download of EICAR Test File Over HTTP is not working after performing the documented steps as described under Test Intrusion Prevention on the Deep Security Help Center. This is mostly because EICAR is now redirecting the traffic to their HTTPS URLs when contacting the HTTP URL. Since the rule only restricts the download of EICAR test file over HTTP, it will not be able to restrict or log the traffic if it is on HTTPS. In a nutshell, the rule only works on HTTP and not HTTPS. This is why the rule doesn't work.
Alternatively, if you want to test the rule, you can create your own EICAR test virus by typing or copying the following into a text file, then naming the file into eicar.com, and upload it to any local HTTP server and try downloading it:
An alternative Intrusion prevention rule can also be performed for IPS testing. This rule will block access to EICAR website in general HTTP or HTTPS.
Follow these steps:
- Create an IPS custom rule using Assign/Unassign button.
- Click the option New IPS rule.
- Name the rule and select “Web Browser” under the Application Type.
- Under Rule tab, - signature – write: eicar
- For the rest, keep them as default and click OK to create a rule.
- Assign this rule to an Agent and make sure that IPS is turned ON.
- Wait for the policy to be sent to the agent, then browse the EICAR website, and you will see that it is now blocked.
- After it is blocked, you will now be able to see the event on the Intrusion Prevention page.
- HTTP Protocol Decoding rule
The HTTP Protocol Decoding rule is the most important rule in the "Web Server Common" Application Type. This rule decodes the HTTP traffic before the other rules inspect it. This rule also allows you to control various components of the decoding process.
This rule is required when you use any of the Web Application Common or Web Server Common rules that require it. The Deep Security Manager automatically assigns this rule when it is required by other rules. As each web application is different, the policy that uses this rule should run in Detect mode for a period of time before switching to Prevent mode to determine if any configuration changes are required.
Quite often, changes are required to the list of illegal characters.
Refer to the following Knowledge Base articles for more details on this rule and how to tune it:
- Cross-site scripting and generic SQL injection rules
Two of the most common application-layer attacks are SQL injection and cross-site scripting (XSS). Cross-site scripting and SQL injection rules intercept the majority of attacks by default, but you may need to adjust the drop score for specific resources if they cause false positives.
Both rules are smart filters that need custom configuration for web servers. If you have output from a Web Application Vulnerability Scanner, you should leverage that information when applying protection. For example, if the user name field on the login.asp page is vulnerable to SQL injection, ensure that the SQL injection rule is configured to monitor that parameter with a low threshold to drop on.
For more information, see KB 1098159.