There are a number of important things to note about how the KEMP LoadMaster implements the Intrusion Prevention System (IPS):
- It can only be applied to HTTP and HTTPS with SSL Offloading enabled.
- Although KEMP accepts rules in the Snort syntax, it is a custom IPS engine that implements the rules. KEMP does not use the Snort IPS engine itself.
- The IPS uses the main system log so there are no specific "IPS" logs. These logs can be streamed to a central logging system via syslog.
- Rules must be uploaded and updated manually.
- Here is an example log entry of a detected malicious request:
Detect: Unusual URL [192.168.11.15:47014->192.168.11.5:80] '/ibfs32.dll' - WEB-CLIENT Adobe Premier Pro ibfs32.dll dll-load exploit attempt (sid:18529 rev:1)
It should be noted that this IPS is not meant to replace a full network IPS. KEMP also have a much more complete security offering - a Web Application Firewall (WAF) component. This is probably more suitable for most Application Security requirements than the legacy IPS feature. Find out more about KEMP's Web Application Firewall feature here: KEMP Web Application Firewall Pack (AFP).