How to configure Intrusion Protection on KEMP Loadmaster (IPS+SNORT)

• It can only be applied to HTTP and HTTPS with SSL offloading enabled.
• Although KEMP accepts rules in the Snort syntax, it is a custom IPS engine that implements the rules. KEMP does not use the Snort IPS engine itself.
• The IPS uses the main system log so there are no specific 'IPS' logs. These logs can be streamed to a central logging system through syslog.
• Rules must be uploaded and updated manually.
• Here is an example log entry of a detected malicious request:
  Detect: Unusual URL [192.168.11.15:47014->192.168.11.5:80] '/ibfs32.dll' - WEB-CLIENT Adobe Premier Pro ibfs32.dll dll-load exploit attempt (sid:18529 rev:1)

It should be noted that this IPS is not meant to replace a full network IPS. KEMP also have a much more complete security offering - a Web Application Firewall (WAF) component. This is probably more suitable for most application security requirements than the legacy IPS feature.

This is the flow of the traffic:

The LoadMaster is an established, hardened Internet appliance with HTTP intrusion prevention. In addition to SSL, Denial of Service support offered by the LoadMaster, the Intrusion Prevention System (IPS) service provides in-line protection of Real Server(s) by providing real-time mitigation of attacks and isolation of the Real Server(s). Intrusion prevention is based on the industry-standard SNORT database and provides real-time intrusion alerting. 

KEMP have a custom built engine for running SNORT rules. IPS is available for HTTP and offloaded HTTPS Virtual Services. 

Note: The LoadMaster supports SNORT rules version 2.9 and below.

Snort Rules - Download and Installation Guide:

Download the Snort Rules

The Snort rule set can be found on the SNORT Community website using the following link:

https://www.snort.org/downloads/#rule-downloads

In the Rules section, under Community, click community-rules.tar.gz to initiate the download.

Install the Snort Rules

To install the Snort rules on the LoadMaster, follow the steps below:

1. On the LoadMaster Web User Interface (WUI) home screen, go to System Configuration > Miscellaneous Options > AFE Configuration.  
   
2. In the Intrusion Detection Options section, beside Detection Rules, click Choose File.
3. Browse to and select the previously downloaded community-rules.tar.gz file.
4. Click Install new Rules.
5. Select the desired Detection level.

For more information on the detection levels, see the AFE Configuration section of the LoadMaster WUI Configuration Guide). 

Deactivate/Activate the Snort Rules

The community-rules.tar.gz file can be modified by commenting out or un-commenting. This can be done by opening the file as an archive using a file archive tool such as 7-Zip:

1. Open 7-Zip.
2. Click File and select Open.
3. Browse to the community-rules.tar.gz file.
4. Double-click the file to open the archive.
5. Continue double-clicking until the following files are visible:
   • community.rules
   • AUTHORS
   • LICENSE
   • sid-msg.map
   • VRT-License.txt
6. Right-click community.rules.
7. Select Edit to open the file in a text editor (the edit shortcut key is F4).
8. Search for the desired rule by Signature ID (SID), for example sid:2067
   • To deactivate a rule, comment out the rule by placing a hash symbol (#) at the beginning of the line.
   • To activate a rule, un-comment the rule by deleting the # at the beginning of the line.
9. After the modification is complete, click File > Exit to close the text editor.
10. When prompted to save the file, click Yes.