IPS stands for Intrusion Prevention System. IPSes include a signature set against which traffic is evaluated to find potential security issues. The signatures are grouped by the probable severity of something matching each signature.
With Route10, we categorize signatures into three levels, High, Medium and Low. High severity includes signatures which indicate a high probability of malicious activity on the network. Low severity signatures are generally informational and not a sign of malicious activity, though could point to policy violations or broken behavior by client devices. One example is flagging DNS over HTTPS (DoH) traffic, which is normal in many networks, but in others could be indicative of someone attempting to bypass DNS security and/or content controls from internal DNS servers. Medium severity includes things which fall somewhere in between High and Low. The risk level they indicate will vary depending on the environment and specific alert’s context. Medium severity often does not indicate a compromise, but might.
Which level to use depends on your environment and goals. Many networks won’t want to bother with low severity signatures, because they tend to generate useless noise, and others will want to review those in their entirety to see potential problems. Most will probably want to use Medium as the threshold, to eliminate the bulk of useless alerts while still providing alerts on all signatures which indicate a probable compromised system. You might want to start with Low severity, see what alerts that generates, and increase to Medium if there are a lot of useless alerts at low severity.
The signatures bundled with Route10 are the widely-used Emerging Threats GPL rules. These are updated upstream once a day, and Route10 pulls in those updates once a day. There are over 42,000 signatures included at the time of this writing. Raw details about these signatures can be found at https://rules.emergingthreats.net/. The specific rules files can be found at https://rules.emergingthreats.net/open/suricata-7.0.3/ . The daily change logs are available from https://rules.emergingthreats.net/changelogs/ . Most people need not be concerned about those specifics, rather they are provided for those who want to dig further into the details.
To configure IPS, browse to manage.alta.inc or your locally-hosted controller, and go to Settings, Firewall, Intrusion Prevention.
Once an alert has been generated, you’ll find them under Events in the controller.
Each alert entry has two buttons to the right. The trash can icon deletes the alert, which you might consider doing after reviewing an alert which requires no further action. The eye with a slash through it icon is used to silence that specific signature. Signatures which result in a lot of false positives or useless noise on your network are good candidates to ignore, so relevant alerts don’t get buried in a pile of meaningless ones.
Once you have had IPS enabled for an hour or more, you’ll almost certainly see at least some alerts if your notification level is set to Low. Give it some time to display alerts from real traffic to see the results there.
To immediately trigger an alert, one option is to visit http://testmyids.com, which will generate one alert.