...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Topics Discussed
Table of Contents |
---|
Product Overview
...
The Host-based Intrusion Detection/Intrusion Prevention Service (IDS/IPS) provides an agent-based system that is installed on a Host for network traffic analysis and reporting based on policies defined by Armor. Armor utilizes an enterprise-class IDS/IPS application and deploys the application agent with the Armor Agent. The IDS/IPS agent registers with an Armor management console, which receives IDS/IPS events in real-time. IDS/IPS event details are available in the Armor Management Portal (AMP). Armor's IDS/IPS policies are designed to detect network based events.
Multimedia | ||||||
---|---|---|---|---|---|---|
|
Armor's IDS/IPS, powered by the Armor's threat prevention and response platform, monitors your environment, and alerts you and our elite Armor Security Operations Center (SOC) experts to potential threats, allowing for a quick and accurate response. All event data collected by the Armor IDS/IPS is integrated with data collected by other security appliances under monitoring by Armor, and correlated to identify suspicious patterns and behavior. Unlike traditional service providers, our security experts in the SOC go beyond alerting to help your security team quickly respond to the threat and minimize risk it may pose.
Note |
---|
To fully use this screen, you must add the following permission to your account:
|
You can use the Intrusion Detection System screen to view data from the host-based intrusion detection system (HIDS).
...
Any observed attempts are delivered to Armor's advanced correlation engine for inspection and correlation with other collected logs.
Review Widgets
...
Widget | Description |
---|---|
Top Signatures | This widget displays the top 10 IDS events detected over the past 7 days, grouped together by signature. |
Top VMs | This widget displays the top 10 IDS events detected over the past 7 days, grouped together by virtual machine. |
Understand Intrusion Detection System (IDS)
...
This section displays details for all IDS events detected over the past 7 days.
Column | Description |
---|---|
Name | This column displays the name of your virtual machine. |
Source IP | This column displays the IP address of the signature. |
Source Port | This column displays the port address of the signature. |
Destination IP | This column displays the IP address of your virtual machine. |
Destination Port | This column displays the port address of your virtual machine. |
Event Signature | This column displays the the content of the signature. |
Event Timestamp | This column displays the time and date when the event signature was detected. |
Count | This column displays the number of event signatures that were detected. |
Anchor | ||||
---|---|---|---|---|
|
...
As a prerequisite to installing Intrusion Prevention Services, you must install the Trend sub-agent. Use the following commands to manage the Trend sub-agent.
...
Info |
---|
You can also manage the Trend sub-agent in the Armor Toolbox. |
Recommendation Scans
...
One of the features available in Agent 3.0 is Recommendation scans. Recommendation scans provide a good starting point for establishing a list of rules that you should implement. During a recommendation scan, the Armor Agent scans the operating system for installed applications, the Windows registry, open ports, and more. To take advantage of Recommendation scans, turn on Ongoing Recommendation scans in the Toolbox.
Info |
---|
Recommendation Scans work in tandem with the Auto-Apply configuration for IPS. The results of the Recommendation Scan can only be applied when Auto-Apply for the IPS service is turned on. |
...
Install Trend Sub-Agent:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend install Linux: /opt/armor/armor trend install |
...
Uninstall Trend Sub-Agent:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe trend uninstall Linux: /opt/armor/armor trend uninstall |
...
Trend Sub-Agent Status:
Code Block | |
---|---|
theme | Midnight | firstline | 1
linenumbers | true | Windows: C:\.armor\opt\armor.exe trend status Linux: /opt/armor/armor trend status |
...
Turn On Recommended Scans:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan on Linux: /opt/armor/armor trend ongoing-recommendation-scan on |
...
Turn Off Recommended Scans:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan off Linux: /opt/armor/armor trend ongoing-recommendation-scan off |
...
Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe trend recommendation-scan Linux: /opt/armor/armor trend recommendation-scan |
...
Set Recommendation Scan Interval:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend set-recommendation-scan-interval <interval> Linux: /opt/armor/armor set-recommendation-scan-interval <interval> |
Info |
---|
|
Get Recommendation Scan Interval:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe trend get-recommendation-scan-interval Linux: /opt/armor/armor trend get-recommendation-scan-interval |
...
Trend Sub-Agent Help
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe trend help Linux: /opt/armor/armor trend help |
Restart Trend:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe trend service-restart Linux: /opt/armor/armor trend service-restart |
Anchor | ||||
---|---|---|---|---|
|
...
Use the following commands to manage the Intrusion Detection service.
...
Turn On Detect Mode:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe ips detect Linux: /opt/armor/armor ips detect Optional Parameters Windows: C:\.armor\opt\armor.exe ips detect auto-apply-recommendations=on Linux: /opt/armor/armor ips detect auto-apply-recommendations=on Windows: C:\.armor\opt\armor.exe ips detect auto-apply-recommendations=off Linux: /opt/armor/armor ips detect auto-apply-recommendations=off |
...
Turn On Prevent Mode:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe ips prevent Linux: /opt/armor/armor ips prevent Optional Parameters Windows: C:\.armor\opt\armor.exe ips prevent auto-apply-recommendations=on Linux: /opt/armor/armor ips prevent auto-apply-recommendations=on Windows: C:\.armor\opt\armor.exe ips prevent auto-apply-recommendations=off Linux: /opt/armor/armor ips prevent auto-apply-recommendations=off |
...
Turn Off Prevent Mode:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe ips off Linux: /opt/armor/armor ips off |
IPS Status:
Code Block | theme | Midnight
---|---|
firstline | 1 |
linenumbers | true | Windows: C:\.armor\opt\armor.exe ips status Linux: /opt/armor/armor ips status |
...
List of Available IPS Rules:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe ips list-available-rules Linux: /opt/armor/armor ips list-available-rules |
...
List of Assigned IPS Rules on Policy:
Code Block | |
---|---|
theme | Midnight |
1 | |
linenumbers | true | Windows: C:\.armor\opt\armor.exe ips list-assigned-rules Linux: /opt/armor/armor ips list-assigned-rules |
...
Assign IPS Rules:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe ips assign-rules Linux: /opt/armor/armor ips assign-rules |
...
Un-Assign IPS Rule:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe ips unassign-rule Linux: /opt/armor/armor ips unassign-rule |
...
Intrusion Detection Help
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Windows: C:\.armor\opt\armor.exe ips help Linux: /opt/armor/armor ips help |
Export IDS Data
...
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Intrusion Detection.
(Optional) Use the filter function to customize the data displayed.
Below the table, click CSV.
You have the option to export all of the data (All), or only the data that appears on the current screen (Current Set).
Anchor | ||||
---|---|---|---|---|
|
...
For Intrusion Detection
...
Users can search for HIDS events in Log Search. For instructions on how to access and use Log Search, please see our documentation here.
An example of HIDS logs can be seen below:
For a full list of Log Search fields and descriptions, please visit our glossary here. Was this helpful?
Topics Discussed
Table of Contents