Importing a user-defined IDS rule
August 12, 2024
ID 247711
You can import a Snort or Suricata file and use it to scan events and create Intrusion Detection System alerts.
We strongly recommend testing custom rules in a test environment before importing them. Custom IDS rules may cause performance problems, in which case the stability of Kaspersky Anti Targeted Attack Platform is not guaranteed
For example, loading user-defined rules can cause the following errors:
- The application may create too many IDS alerts.
- If the application cannot record all IDS alerts in time, some network traffic objects may remain unscanned.
- Regular expressions in user-defined rules may impact performance or cause faulty operation of the application.
- Even formally correct user-defined rules may impact performance or cause faulty operation of the application.
IDs and attributes of custom rules may be modified when they are uploaded. Reject and Drop actions are changed to Alert. Rules with the Pass action are deleted
To import a user-defined IDS rule:
- In the window of the application web interface, select the Custom rules section, IDS subsection.
This opens the user-defined IDS rule window.
- Click Import.
This opens the file selection window on your local computer.
- Select the file that you want to upload and click Open.
The user-defined IDS rule is imported into the application.