Versions Compared

Old Version 52

changes.mady.by.user Luke Fritz (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Emad Abualjazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

id443986285

...

id443986296
Section
background-color$lightGrayColor
id443986284

Topics Discussed

Table of Contents
maxLevel4
minLevel3

...

id443986286

Topics Discussed

Table of Contents

Product Overview

...

The Host-based Intrusion Detection/Intrusion Prevention Service (IDS/IPS) provides an agent-based system that is installed on a Host for network traffic analysis and reporting based on policies defined by Armor. Armor utilizes an enterprise-class IDS/IPS application and deploys the application agent with the Armor Agent. The IDS/IPS agent registers with an Armor management console, which receives IDS/IPS events in real-time. IDS/IPS event details are available in the Armor Management Portal (AMP). Armor's IDS/IPS policies are designed to detect network based events.

...

Armor's IDS/IPS, powered by the Armor's threat prevention and response platform, monitors your environment, and alerts you and our elite Armor Security Operations Center (SOC) experts to potential threats, allowing for a quick and accurate response. All event data collected by the Armor IDS/IPS is integrated with data collected by other security appliances under monitoring by Armor, and correlated to identify suspicious patterns and behavior. Unlike traditional service providers, our security experts in the SOC go beyond alerting to help your security team quickly respond to the threat and minimize risk it may pose.

Note

To fully use this screen, you must add the following permission to your account:

  • Read IDS

You can use the Intrusion Detection System screen to view data from the host-based intrusion detection system (HIDS).

Intrusion Detection Systems (IDS) analyze network or host traffic and alert if that traffic matches signatures of known attacks. These events are correlated in our Security Information Event Management (SIEM) system, in combination with other security data, to alert on security threats.

This system provides an agent-based, intrusion detection service for network traffic analysis and reporting. Specifically, HIDS monitors for attack attempts.

Any observed attempts are delivered to Armor's advanced correlation engine for inspection and correlation with other collected logs.


Review Widgets

...

Widget

Description

Top Signatures

This widget displays the top 10 IDS events detected over the past 7 days, grouped together by signature.

Top VMs

This widget displays the top 10 IDS events detected over the past 7 days, grouped together by virtual machine.


Understand Intrusion Detection System (IDS)

...

This section displays details for all IDS events detected over the past 7 days.

Column

Description

Name

This column displays the name of your virtual machine.

Source IP

This column displays the IP address of the signature.

Source Port

This column displays the port address of the signature.

Destination IP

This column displays the IP address of your virtual machine.

Destination Port

This column displays the port address of your virtual machine.

Event Signature

This column displays the the content of the signature.

Event Timestamp

This column displays the time and date when the event signature was detected.

Count

This column displays the number of event signatures that were detected.

Anchor
Enable-Trend-Sub-Agent
Enable-Trend-Sub-Agent
Enable Trend Sub-Agent

...

As a prerequisite to installing Intrusion Prevention Services, you must install the Trend sub-agent. Use the following commands to manage the Trend sub-agent.

Info

For cloned assets with the Trend sub-agent installed, users will still need to enable the modules and run recommendation scans as needed.

Info

You can also manage the Trend sub-agent in the Armor Toolbox.


Recommendation Scans

...

One of the features available in Agent 3.0 is Recommendation scans. Recommendation scans provide a good starting point for establishing a list of rules that you should implement. During a recommendation scan, the Armor Agent scans the operating system for installed applications, the Windows registry, open ports, and more. To take advantage of Recommendation scans, turn on Ongoing Recommendation scans in the Toolbox.

Info

Recommendation Scans work in tandem with the Auto-Apply configuration for IPS. The results of the Recommendation Scan can only be applied when Auto-Apply for the IPS service is turned on.


Install Trend Sub-Agent:

Windows: C:\.armor\opt\armor.exe trend install
Linux: /opt/armor/armor trend install
Code Block
themeMidnight
firstline1
linenumberstrue

Uninstall Trend Sub-Agent:

theme
Windows: C:\.armor\opt\armor.exe trend uninstall
Linux: /opt/armor/armor trend uninstall
Code Block
Midnight
firstline1
linenumberstrue

Trend Sub-Agent Status:

theme
Windows: C:\.armor\opt\armor.exe trend status
Linux: /opt/armor/armor trend status
Code Block
Midnight
firstline1
linenumberstrue

Turn On Recommended Scans:

theme
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan on
Linux: /opt/armor/armor trend ongoing-recommendation-scan on
Code Block
Midnight
firstline1
linenumberstrue

Turn Off Recommended Scans:

Midnight
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan off
Linux: /opt/armor/armor trend ongoing-recommendation-scan off
Code Block
theme
firstline1
linenumberstrue

Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):

Windows: C:\.armor\opt\armor.exe trend recommendation-scan
Linux: /opt/armor/armor trend recommendation-scan
Code Block
themeMidnight
firstline1
linenumberstrue

Set Recommendation Scan Interval:

true
Code Block
themeMidnight
firstline1
linenumbers
Windows: C:\.armor\opt\armor.exe trend set-recommendation-scan-interval <interval>
Linux: /opt/armor/armor trend set-recommendation-scan-interval <interval>
Info

Options

are

"24

Hours"

"2

Days"

"3

Days"

"7

Days"

"2

Weeks"

"3

Weeks"

"4

Weeks"


Get Recommendation Scan Interval:

1
Windows: C:\.armor\opt\armor.exe trend get-recommendation-scan-interval
Linux: /opt/armor/armor trend get-recommendation-scan-interval
Code Block
themeMidnight
firstline
linenumberstrue

Trend Sub-Agent Help

linenumbers
Windows: C:\.armor\opt\armor.exe trend help
Linux: /opt/armor/armor trend help
Code Block
themeMidnight
firstline1
true

Restart Trend:

true
Code Block
themeMidnight
firstline1
linenumbers
Windows: C:\.armor\opt\armor.exe trend service-restart
Linux: /opt/armor/armor trend service-restart

Anchor
Enable-Intrusion-Prevention-Service
Enable-Intrusion-Prevention-Service
Enable Intrusion Prevention Service

...

Use the following commands to manage the Intrusion Detection service.

Turn On Detect Mode:

Windows: C:\.armor\opt\armor.exe ips detect 
Linux: /opt/armor/armor ips detect

Optional Parameters
Windows: C:\.armor\opt\armor.exe ips detect auto-apply-recommendations=on
Linux: /opt/armor/armor ips detect auto-apply-recommendations=on

Windows: C:\.armor\opt\armor.exe ips detect auto-apply-recommendations=off
Linux: /opt/armor/armor ips detect auto-apply-recommendations=off
Code Block
themeMidnight
firstline1
linenumberstrue
Info

The Auto-Apply configuration for IPS works in tandem with Recommendation Scans. Only after a Recommendation Scan is run will there be policies to Auto-Apply.

Turn On Prevent Mode:

Windows: C:\.armor\opt\armor.exe ips prevent 
Linux: /opt/armor/armor ips prevent 

Optional Parameters
Windows: C:\.armor\opt\armor.exe ips prevent auto-apply-recommendations=on
Linux: /opt/armor/armor ips prevent auto-apply-recommendations=on

Windows: C:\.armor\opt\armor.exe ips prevent auto-apply-recommendations=off
Linux: /opt/armor/armor ips prevent auto-apply-recommendations=off
Code Block
themeMidnight
firstline1
linenumberstrue

Turn Off Prevent Mode:

Windows: C:\.armor\opt\armor.exe ips off
Linux: /opt/armor/armor ips off
Code Block
themeMidnight
firstline1
linenumberstrue

IPS Status:

firstline
Windows: C:\.armor\opt\armor.exe ips status
Linux: /opt/armor/armor ips status
Code Block
themeMidnight
1
linenumberstrue

List of Available IPS Rules: 

Windows: C:\.armor\opt\armor.exe ips list-available-rules
Linux: /opt/armor/armor ips list-available-rules
Code Block
themeMidnight
firstline1
linenumberstrue

List of Assigned IPS Rules on Policy:

Windows: C:\.armor\opt\armor.exe ips list-assigned-rules
Linux: /opt/armor/armor ips list-assigned-rules
Code Block
themeMidnight
firstline1
linenumberstrue

Assign IPS Rules:

firstline
Windows: C:\.armor\opt\armor.exe ips assign-rules
Linux: /opt/armor/armor ips assign-rules
Code Block
themeMidnight
1
linenumberstrue

Un-Assign IPS Rule:

1
Windows: C:\.armor\opt\armor.exe ips unassign-rule
Linux: /opt/armor/armor ips unassign-rule
Code Block
themeMidnight
firstline
linenumberstrue

Intrusion Detection Help

Windows: C:\.armor\opt\armor.exe ips help
Linux: /opt/armor/armor ips help
Code Block
themeMidnight
firstline1
linenumberstrue


Export IDS Data

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Intrusion Detection.

  3. (Optional) Use the filter function to customize the data displayed.

  4. Below the table, click CSV.

    • You have the option to export all of the data (All), or only the data that appears on the current screen (Current Set).

Anchor
Log-Search-for-Intrusion-Detection
Log-Search-for-Intrusion-Detection
Log Search

...

For Intrusion Detection

...

Users can search for HIDS events in Log Search. For instructions on how to access and use Log Search, please see our documentation here.

An example of HIDS logs can be seen below:

Image Modified

For a full list of Log Search fields and descriptions, please visit our glossary here.

...