Maximum Cache Size

This defines how much memory can be utilized by the cache in megabytes. The Maximum Cache Size defines how much of the main memory should be assigned to the cache. It can never be more than one fifth of the total memory of the machine. Assigning more memory for the cache will reduce the amount of memory available for connections and persist entries. In a system that is correctly configured, there should be enough memory for a full cache and all connections that the system that is expected to handle. If this is not the case, the system could run out of memory.

Cache Virtual Hosts

This option is enabled by default. When this option is disabled, the cache presumes there is only one virtual host supported on the Real Server. Enabling this option allows the cache to support multiple virtual hosts which have different content. If a request is cached for one Virtual Service, it will not be cached a second time if the request is sent to another Virtual Service. This is based on the host header of the request.

File extensions that should not be cached

The File extensions that should not be cached field and the label below it specifies a list of file types that should not be cached.

The default extensions that are not cached are .aspx, .jsp, .php, and .shtml. You can delete these from the "no cache" list by selecting them and clicking Delete.

You can add other file extensions to the File extensions that should not be cached field.

Items are held in the cache for 15 minutes (or until the cache is flushed by refreshing the page (for example, by pressing Ctrl + F5 on your keyboard).

Compression Options

The File extensions that should not be compressed field and the label below it specifies a list of file types that should not be compressed. The default extensions that are not compressed are .asf .gif .gz .jpeg .jpg .mov .mp3 .mp4 .mpe .mpeg .mpg .pdf .png .swf .tgz .wav .wma .wmv .z .zip. You can delete these from the "no compress" list by selecting them and clicking Delete.

Intrusion Detection Options

SNORT is an Intrusion Prevention System (IPS) and an Intrusion Detection System (IDS). You can import SNORT rules into the LoadMaster and apply them to HTTP/HTTPS connections. You can also create your own rules using the SNORT 2.8 and 2.9 rule sets.

Note: The LoadMaster supports SNORT rules version 2.9 and below.

You can enable the rules for a Virtual Service by selecting the Detect Malicious Requests check box in Virtual Services > View/Modify Services > Modify > Advanced Properties.

Download the SNORT Rules

You can download the SNORT rule set from the SNORT website. In the Rules section, under Community - click community-rules.tar.gz to start the download.

Install the SNORT Rules

To install the SNORT rules on the LoadMaster, follow the steps below:

  1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > AFE Configuration.

  2. Click Choose File next to Detection Rules.

  3. Browse to and select the previously downloaded community-rules.tar.gz file.

  4. Click Install new Rules.

  5. Select your chosen Detection Level.

Deactivate/Activate the SNORT Rules

You can modify the community-rules.tar.gz file by commenting out or un-commenting out rules. You can do this by opening the file as an archive using a file archive tool such as 7-Zip:

  1. Open 7-Zip.

  2. Click File and select Open.

  3. Browse to the community-rules.tar.gz file.

  4. Double-click the file to open the archive.

  5. Continue double-clicking until you can see the following files:

    • community.rules

    • AUTHORS

    • LICENSE

    • sid-msg.map

    • VRT-License.txt

  6. Right-click community.rules.

  7. Select Edit to open the file in a text editor (the edit shortcut key is F4).

  8. Search for the desired rule by Signature ID (SID), for example, sid:2067.

  9. To deactivate a rule, comment out the rule by adding a hash symbol (#) at the beginning of the line.

  10. To activate a rule, un-comment the rule by deleting the # at the beginning of the line.

  11. After your modifications are complete, click File > Exit to close the text editor.

  12. When prompted to save the file, click Yes.

For further details, refer to the following Knowledge Base article: How to configure Intrusion Protection on LoadMaster (IPS+SNORT).

Detection Rules

Select the relevant detection rules and click the Install New Rules button to install them.

If you are implementing SNORT rules, please remember the following:

  • The destination port must be $HTTP_PORTS
  • A ‘msg’ may be optionally set
  • The flow must be set to ‘to_server,established’
  • The actual filter may be either ‘content’ or ‘pcre’
  • Additional ‘http_’ parameters may be set
  • The classtype must be set to a valid value
Note: To get updated or customized SNORT rules, please refer to the SNORT website: https://www.snort.org/.

Detection Level

Supports four levels of what to do when problems are encountered:

  • Low – only logging with no rejection

  • Default – only critical problems rejected

  • High – Serious and critical problems rejected

  • Paranoid – All detected problems rejected

The four levels of severity are classified according to the classtype value in the SNORT rules configuration file. If the severity is less than the configured value, a diagnostic is generated and the call is dropped. The levels of severity correspond to the following values - Low = 1, Default = 2, and High = 3. You can view the SNORT rule classtypes and their corresponding values in the table below.

Classtype

Value

not-suspicious

3
unknown 3
bad-unknown 2
attempted-recon 2
successful-recon-limited 2
successful-recon-largescale 2
attempted-dos 2
successful-dos 2
attempted-user 1
unsuccessful-user 1
successful-user 1
attempted-admin 1
successful-admin 1
rpc-portmap-decode 2
shellcode-detect 1
string-detect 3
suspicious-filename-detect 2
suspicious-login 2
system-call-detect 2
trojan-activity 1
unusual-client-port-connection 2
network-scan 3
denial-of-service 2
non-standard-protocol 2
protocol-command-decode 3
web-application-activity 2
web-application-attack 1
misc-activity 3
misc-attack 2
icmp-event 3
kickass-porn 1
inappropriate-content 1
policy-violation 1
default-login-attempt 2
sdf 2

Client Limiting

It is possible to set a limit of the number of connections per second from a given host (limits up to 100K are allowed). After setting the "default limit" to a value, the system allows you to set different limits for specific hosts/networks so you can limit a network and/or host.

If you set a network and a host on that network, the host should be placed first since the list is processed in the order that it is displayed.

To turn client limiting off, set the Client Connection Limiter value to 0.

Note: In LoadMaster firmware version 7.2.52, the Client Limiting options were moved to System Configuration > Limiting. For further details, refer to the Rate Limiting Feature Description.