Enable the Intrusion Prevention module and monitor network traffic for exploits using
Detect mode. When you are satisfied with how your Intrusion Prevention rules are assigned,
switch to Prevent mode.
 |
NoteCPU usage and RAM usage varies by your IPS configuration. To optimize IPS performance
on the agent, see Performance tips for Intrusion Prevention.
|
For an overview of the Intrusion Prevention module, see Block exploit attempts using Intrusion Prevention.
Enable Intrusion Prevention in Detect mode 
Enable Intrusion Prevention and use Detect mode for monitoring. Configure Intrusion
Prevention using the appropriate policies to affect the targeted computers. You can
also configure individual computers.
Procedure
- Go to .
- For Configuration, select either On or Inherited (On).
- For Intrusion Prevention Behavior, select Detect.
Note
For information on enabling Intrusion Prevention for containers, see Apply your intrusion prevention settings. - Click Save.
What to do next
 |
TipIf the behavior settings are not available, Network Engine Mode may be set to
Tap. (See Test Firewall rules before deploying
them.)
|
For more fine-grained control, when you assign Intrusion Prevention rules, you can
override the
global behavior mode and configure specific rules
to either prevent or detect. (See Override the behavior mode for a
rule.)
Enable Auto Apply core Endpoint & Workload rules
Procedure
- Switch Implement core Endpoint & Workload rules automatically to 'Yes‘,
- Click Save.
What to do next
|
TipServer & Workload Protection will assign all core Endpoint & Workload Rules
to this computer whenever Rule Updates happens.
|
|
NoteManually unassigned core Endpoint & Workload Rules will remain unassigned after Rule Updates.
|
|
NoteWe recommend that you turn this feature on with Endpoint license, and turn this feature off and use Recommendation scans with Workload license.
|
Test Intrusion Prevention
You should test that the Intrusion Prevention module is working properly before continuing
with further steps.
Procedure
- If you have an agent-based deployment, make sure you have a computer that has an agent running.
- Turn off the Web Reputation module. In the Server & Workload Protection console, click Computers, then double-click the computer where you'll test Intrusion Prevention. In the computer's dialog box, click Web Reputation, and select Off. Web Reputation is now disabled and won't interfere with the Intrusion Prevention functionality.
- Make sure bad traffic is blocked. Still in the computer's dialog box, click Intrusion Prevention, and under the General tab, select Prevent. (If it is shaded, set the Configuration drop-down list to Inherited (On).)
- Assign the EICAR test policy. Still in the computer's dialog box, click Intrusion Prevention. Click Assign/Unassign. Search for
1005924. The 1005924 - Restrict Download of EICAR Test File Over HTTP policy appears. Select its check box and click OK. The policy is now assigned to the computer. - Try to download the EICAR file (you can't, if Intrusion Prevention is running properly).
On Windows, go to this link: http://files.trendmicro.com/products/eicar-file/eicar.com. On Linux, enter this command:
curl -O http://files.trendmicro.com/products/eicar-file/eicar.com - Check the Intrusion Prevention events for the computer. Still in the computer's dialog box, click . Click Get Events to see events that have occurred since the last heartbeat. An event appears with a Reason of 1005924 - Restrict Download of EICAR Test File Over HTTP. The presence of this event indicates that Intrusion Prevention is working.
- Revert your changes to return your system to its previous state. Turn on the Web Reputation module (if you turned it off), reset the Prevent or Detect option, and remove the EICAR policy from the computer.
What to do next
Apply recommended rules
To maximize performance, only assign the Intrusion Prevention rules that are required
by your policies and computers. You can use a recommendation scan to obtain a list
of rules that are appropriate.
|
NoteAlthough recommendation scans are performed for a specific computer, you can assign
the recommendations to a policy that the computer uses.
|
For more information, see Manage and run recommendation scans.
Procedure
- Open the properties for the computer to scan.
Run the recommendation scan as described in Manually run a recommendation scan.
Note
You can configure Server & Workload Protection to Automatically implement recommendations scan results when it is appropriate to do so. - Open the policy to which you want to assign
the rules, and complete the rule assignments as
described in Manage the recommendation scan
results.
Tip
To automatically and periodically fine tune your assigned Intrusion Prevention rules, you can schedule recommendation scans. See Schedule Server & Workload Protection to perform tasks.
What to do next
Monitor your system
After you apply Intrusion Prevention rules, monitor system performance and Intrusion
Prevention event logs.
Monitor system performance
Monitor CPU, RAM, and network usage to verify that system performance is still acceptable.
If not, you can modify some settings and deployment aspects to improve performance.
(See Performance tips for Intrusion Prevention.)
Check Intrusion Prevention events
Monitor Intrusion Prevention events to ensure that rules are not matching legitimate
network
traffic. If a rule is causing false positives you
can unassign the rule. (See Assign and unassign rules.)
To see Intrusion Prevention events, click .
Enable 'fail open' for packet or system failures
The Intrusion Prevention module includes a network engine that might block packets
before
Intrusion Prevention rules can be applied. This
might lead to downtime or performance issues with
your services and applications. You can change
this behavior so that packets are allowed through
when system or internal packet failures occur. For
details, see Enable 'fail open' behavior.
Switch to Prevent mode
When you are satisfied that Intrusion Prevention is not finding false positives, configure
your policy to use Intrusion Prevention in Prevent mode so that rules are enforced
and related events are logged.
Procedure
- Go to .
- For Intrusion Prevention Behavior, select Prevent.
- Click Save.
What to do next
Implement best practices for specific rules
HTTP Protocol Decoding rule
The HTTP Protocol Decoding rule is the most important rule in the "Web Server Common"
Application Type. This rule decodes the HTTP traffic before the other rules inspect
it. This rule also allows you to control various components of the decoding process.
This rule is required when you use any of the Web Application Common or Web Server
Common rules
that require it. Server & Workload Protection
automatically assigns this rule when it is
required by other rules. As each web application
is different, the policy that uses this rule
should run in Detect mode for a period of time
before switching to Prevent mode to determine if
any configuration changes are required.
Quite often, changes are required to the list of illegal characters.
Refer to the following Knowledge Base articles for more details on this rule and how
to tune it:
Cross-site scripting and generic SQL injection rules
Two of the most common application-layer attacks are SQL injection and cross-site
scripting (XSS). Cross-site scripting and SQL injection rules intercept the majority
of attacks by default, but you may need to adjust the drop score for specific resources
if they cause false positives.
Both rules are smart filters that need custom configuration for web servers. If you
have output from a Web Application Vulnerability Scanner, you should leverage that
information when applying protection. For example, if the user name field on the login.asp
page is vulnerable to SQL injection, ensure that the SQL injection rule is configured
to monitor that parameter with a low threshold to drop on.
For more information, see https://success.trendmicro.com/solution/1098159
Apply NSX security tags