Intrusion Detection rules
An Intrusion Detection rule describes a traffic anomaly that could be a sign of an attack in the industrial network. The rules contain the conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are stored on the Server and sensors.
The application applies intrusion detection rules when using the rule-based intrusion detection method. You can enable and disable this method.
Intrusion detection rules are grouped into sets of rules based on some attributes. For example, rules can be grouped by their purpose and included in a set designed to detect certain types of intrusions. You can use the following types of rule sets:
- System rule sets. These rule sets are provided by Kaspersky and are intended for detecting signs of the most frequently encountered attacks or unwanted network activity. System rule sets are available immediately after the application is installed. You can update system sets of rules by installing updates.
- User-defined rule sets. These rule sets are loaded into the application separately by the user. To load them, you need to use files containing data structures that define Intrusion Detection rules. These files must be in the same folder and have the RULES extension. The names of user-defined rule sets must match the names of the files from which these rule sets were loaded.
The application supports the application of no more than 50,000 rules cumulatively in all loaded rule sets. The limit on the number of loaded rule sets is 100.
Rules loaded from user-defined rule sets may contain traffic analysis conditions whereby the application will register an excessive number of events when these rules are triggered. In this case, keep in mind that logging too many events may affect the performance of the Intrusion Detection System.
Sets of Intrusion Detection rules can be either enabled or disabled. Rules from the enabled set are applied during traffic analysis if the rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules from this rule set are not applied.
When a rule set is loaded, the application verifies the rules in the rule set. If errors are detected in the verified rules, the application blocks these rules from being applied. If errors are detected in all rules of the rule set or the rule set does not contain any rules, the application disables this rule set.
For information about sets of rules and detected errors, please refer to the Intrusion Detection section.
When the conditions defined in a rule from an enabled rule set are detected in traffic, the application registers a rule-triggering event. Events are registered with system event types that are assigned the following codes:
- 4000003000 – for an event when a rule from a system rule set is triggered.
- 4000003001 – for an event when a rule from a user-defined rule set is triggered.
User-defined rule sets may contain rules that were received from other Intrusion Prevention and Detection systems. When processing these rules, the application does not perform their defined actions that would otherwise be applied to network packets (for example, the drop and reject actions). When Intrusion Detection rules are triggered in Kaspersky Industrial CyberSecurity for Networks, only event registration is performed.
The scores of Kaspersky Industrial CyberSecurity for Networks events correspond to the specific priorities in Intrusion Detection rules (see the table below).
Mapping rule priorities to event scores
Intrusion Detection rule priority | Kaspersky Industrial CyberSecurity for Networks event score values |
|---|---|
4 or higher | 2.5 |
3 | 4.5 |
2 | 6.5 |
1 | 9 |
