Managing user-defined IDS rules

Users with the Senior security officer role can import, configure, replace, and delete user-defined IDS rules, as well as add Kaspersky-defined IDS rules to exclusions from scanning. Users with the Senior security officer or Security officer roles can use IDS rules to search for signs of targeted attacks, infected and possibly infected objects in the alert database, and to view the IDS rule information.

Depending on the program operating mode and the server on which the IDS rules are created, user-defined IDS rules can have one of the following types:

• Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

  Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.

  Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a master control server (Primary Central Node (PCN)) and slave servers (Secondary Central Nodes (SCN)).

• Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

In this Help section Importing a user-defined IDS rule Viewing the information of a user-defined IDS rule Enabling and disabling the use of an IDS rule when scanning events Configuring the importance of alerts generated by the user-defined IDS rule Replacing a user-defined IDS rule Downloading a user-defined IDS rule file to the computer Deleting a user-defined IDS rule

Page top