AFE Intrusion Detection Options- Explained
The Intrusion Detection System properties are located in the LoadMaster User Interface (UI) under System Configuration > Miscellaneous Options > AFE Configuration > Intrusion Detection Options > Detection Level. This option allows you to configure how the system detects potentially malicious requests to the Virtual Services.
Note: Detect Malicious Requests must be enabled under Advanced Properties in the Virtual Service modify screen for this option to take effect.
There are 4 rejection levels:
- Low – Only logging, no detection.
- Default – Only Critical problems are rejected.
- High – Serious and Critical problems are rejected.
- Paranoid – All Problems detected and rejected.
The LoadMaster's processing for the rules looks at the classification type (key word is "classtype") for the rule which has a severity associated with it.
SNORT uses the following class-types and levels:
"not-suspicious", 3
"unknown", 3
"bad-unknown", 2
"attempted-recon", 2
"successful-recon-limited", 2
"successful-recon-largescale", 2
"attempted-dos", 2
"successful-dos", 2
"attempted-user", 1
"unsuccessful-user", 1
"successful-user", 1
"attempted-admin", 1
"successful-admin", 1
"rpc-portmap-decode", 2
"shellcode-detect", 1
"string-detect", 3
"suspicious-filename-detect", 2
"suspicious-login", 2
"system-call-detect", 2
"trojan-activity", 1
"unusual-client-port-connection",2
"network-scan", 3
"denial-of-service", 2
"non-standard-protocol", 2
"protocol-command-decode", 3
"web-application-activity", 2
"web-application-attack", 1
"misc-activity", 3
"misc-attack", 2
"misc-attack", 2
"icmp-event", 3
"kickass-porn", 1
"inappropriate-content", 1
"policy-violation", 1
"default-login-attempt", 2
"sdf", 2
If the severity is less than the configured value on the LoadMaster, then a diagnostic is generated, and the call is dropped (where 1 is the lowest and 3 is the highest).