An Intrusion Detection rule describes a traffic anomaly that could be a sign of an attack in the industrial network. The rules contain the conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are stored on the Server and sensors.
Intrusion Detection rules are included in rule sets. A rule set includes Intrusion Detection rules grouped according to any attributes (for example, rules that contain interdependent traffic analysis conditions). The following types of rule sets may be used in the application:
The application supports the application of no more than 50,000 rules cumulatively in all loaded rule sets. The limit on the number of loaded rule sets is 100.
Rules loaded from user-defined rule sets may contain traffic analysis conditions whereby the application will register an excessive number of events when these rules are triggered. When using rules that invoke the registration of an excessive number of events, keep in mind that they could affect the performance of the Intrusion Detection system in some cases.
Sets of Intrusion Detection rules can be either enabled or disabled. Rules from the enabled set are applied during traffic analysis if the rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules from this rule set are not applied.
When a rule set is loaded, the application verifies the rules in the rule set. If errors are detected in the verified rules, the application blocks these rules from being applied. If errors are detected in all rules of the rule set or the rule set does not contain any rules, the application disables this rule set.
For information about sets of rules and detected errors, please refer to the Intrusion Detection section.
When the conditions defined in a rule from an enabled rule set are detected in traffic, the application registers a rule-triggering event. Events are registered with system event types that are assigned the following codes:
User-defined rule sets may contain rules that were received from other Intrusion Prevention and Detection systems. When processing these rules, the application does not perform their defined actions that would otherwise be applied to network packets (for example, the drop
and reject
actions). When Intrusion Detection rules are triggered in Kaspersky Industrial CyberSecurity for Networks, only event registration is performed.
The scores of Kaspersky Industrial CyberSecurity for Networks events correspond to the specific priorities in Intrusion Detection rules (see the table below).
Mapping rule priorities to event scores
Intrusion Detection rule priority |
Kaspersky Industrial CyberSecurity for Networks event score values |
---|---|
4 or higher |
2.5 |
3 |
4.5 |
2 |
6.5 |
1 |
9 |