Intrusion Detection Options (IPS/IDS)

SNORT is an Intrusion Prevention System (IPS) and an Intrusion Detection System (IDS). You can import SNORT rules into the LoadMaster and apply them to HTTP/HTTPS connections. You can also create your own rules using the SNORT 2.8 and 2.9 rule sets.

You can enable the rules for a Virtual Service by selecting the Detect Malicious Requests check box in Virtual Services > View/Modify Services > Modify > Advanced Properties.

Download the SNORT Rules

You can download the SNORT rule set from the SNORT website. In the Rules section, under Community - click community-rules.tar.gz to start the download.

Install the SNORT Rules

To install the SNORT rules on the LoadMaster, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to Certificates & Security > IPS / IDS.
2. Click Choose File next to Detection Rules.
3. Browse to and select the previously downloaded community-rules.tar.gz file.
4. Click Install new Rules.
5. Select your chosen Detection Level.

Deactivate/Activate the SNORT Rules

You can modify the community-rules.tar.gz file by commenting out or un-commenting out rules. You can do this by opening the file as an archive using a file archive tool such as 7-Zip:

1. Open 7-Zip.
2. Click File and select Open.
3. Browse to the community-rules.tar.gz file.
4. Double-click the file to open the archive.
5. Continue double-clicking until you can see the following files:

• community.rules

• AUTHORS

• LICENSE

• sid-msg.map

• VRT-License.txt

1. Right-click community.rules.
2. Select Edit to open the file in a text editor (the edit shortcut key is F4).
3. Search for the desired rule by Signature ID (SID), for example, sid:2067.
4. To deactivate a rule, comment out the rule by adding a hash symbol (#) at the beginning of the line.
5. To activate a rule, un-comment the rule by deleting the # at the beginning of the line.
6. After your modifications are complete, click File > Exit to close the text editor.
7. When prompted to save the file, click Yes.

For further details, refer to the following Knowledge Base article: How to configure Intrusion Protection on LoadMaster (IPS+SNORT).

Detection Rules

Select the relevant detection rules and click the Install New Rules button to install them.

If you are implementing SNORT rules, please remember the following:

• The destination port must be $HTTP_PORTS
• A ‘msg’ may be optionally set
• The flow must be set to ‘to_server,established’
• The actual filter may be either ‘content’ or ‘pcre’
• Additional ‘http_’ parameters may be set
• The classtype must be set to a valid value

Detection Level

Supports four levels of what to do when problems are encountered:

• Low – only logging with no rejection
• Default – only critical problems rejected
• High – Serious and critical problems rejected
• Paranoid – All detected problems rejected

The four levels of severity are classified according to the classtype value in the SNORT rules configuration file. If the severity is less than the configured value, a diagnostic is generated and the connection is dropped. The levels of severity correspond to the following values - Low = 1, Default = 2, and High = 3. You can view the SNORT rule classtypes and their corresponding values in the table below.