Intrusion Detection rules
An Intrusion Detection rule describes a traffic anomaly that could be a sign of an attack in the industrial network. The rules contain the conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are stored on the Server and sensors.
Intrusion Detection rules are included in rule sets. A rule set includes Intrusion Detection rules grouped according to any attributes (for example, rules that contain interdependent traffic analysis conditions). The following types of rule sets may be used in the application:
- System rule sets. These rule sets are provided by Kaspersky and are intended for detecting signs of the most frequently encountered attacks or unwanted network activity. System rule sets are available immediately after the application is installed. You can update system sets of rules by installing updates.
- Custom rule sets. These rule sets are loaded into the application separately by the user. To load them, you need to use files containing data structures that define Intrusion Detection rules. These files must be in the same folder and have the RULES extension. The names of custom rule sets must match the names of the files from which these rule sets were loaded.
The application supports the application of no more than 50000 rules cumulatively in all loaded rule sets. The limit on the number of loaded rule sets is 100.
Rules loaded from custom rule sets may contain traffic analysis conditions whereby the application will register an excessive number of events when these rules are triggered. When using rules that invoke the registration of an excessive number of events, keep in mind that they could affect the performance of the Intrusion Detection system in some cases.
Sets of Intrusion Detection rules can be either enabled or disabled. Rules from the enabled set are applied during traffic analysis if the rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules from this rule set are not applied.
When a rule set is loaded, the application verifies the rules in the rule set. If errors are detected in the verified rules, the application blocks these rules from being applied. If errors are detected in all rules of the rule set or the rule set does not contain any rules, the application disables this rule set.
For information about sets of rules and detected errors, please refer to the Intrusion Detection section.
When the conditions defined in a rule from an enabled rule set are detected in traffic, the application registers a rule-triggering event. Events are registered with system event types that are assigned the following codes:
- 4000003000 – for an event when a rule from a system rule set is triggered.
- 4000003001 – for an event when a rule from a custom rule set is triggered.
Custom sets of rules may contain rules that were received from other Intrusion Prevention and Detection systems. When processing these rules, the application does not perform their defined actions that would otherwise be applied to network packets (for example, the drop and reject actions). When Intrusion Detection rules are triggered in Kaspersky Industrial CyberSecurity for Networks, only event registration is performed.
The severity levels of Kaspersky Industrial CyberSecurity for Networks events correspond to the priorities in Intrusion Detection rules (see the table below).
Mapping between rule priority and event severity
Intrusion Detection rule priority | Kaspersky Industrial CyberSecurity for Networks event severity |
|---|---|
4 or higher | Informational |
2 or 3 | Warning |
1 | Critical |
