To help deploy DDI effectively and validate whether it could receive traffic and trigger detections successfully, DDI also has several rules that are built-in to help test or demo.
The following are built-in rules for testing and demo:
- Rule 2244 - DEMO RULE - ICMP (Request)
- Rule 2245 - DEMO RULE - DNS (Request)
- Rule 2246 - DEMO RULE - HTTP (Request)
- Rule 2247 - DEMO RULE - SMB (Request)
- Rule 2248 - DEMO RULE - SMTP (Request)
- Rule 2249 - DEMO RULE - KERBEROS (Request)
To verify if the Network Content Inspection Engine (NCIE) or demo rules are working properly, for instance, Rule 2245 - DEMO RULE - DNS (Request), perform the following on any host that is in a DDI monitored network:
- Use the nslookup command to generate DNS request packet to resolve “ddi.detection.test”.
- Open the DDI web console and go to Detections > All Detections to verify if DDI has detected a violation.
To see more detection information, check the Detail column.
- Notice the severity of the demo rules are all 'Informational' and with a few different attack phases.
- In addition, note that within the same hour, there will be, at a maximum, 10 logs for each demo rule detection.
Click image to enlarge
For more information about demo rules, refer to the internal Knowledgebase article: Using Deep Discovery Inspector (DDI) demo rules to validate monitored traffic.