08-03-2011 01:28 PM - edited 03-10-2019 05:26 AM
The locality field in all of my IPS alerts is "OUT". I have seen a few examples on the web where the value is "IN". Is there any way to influence this value? I know you can configure an Internal Zone in the anomaly detection function, but is there some way to make use of this locality field by defining internal addresses somewhere?
08-03-2011 02:18 PM
I thought that was set with the $IN and $OUT variables, but I can't find any documentation to back that up.
- Bob
08-04-2011 03:13 PM
If I'm not mistaken, when you configure Event Variables and they should be populated on your output as localities.
For example if your internal network is 192.168.0.0 / 24 you could define that as IN or if your DMZ web servers are 192.168.1.0 you could define a variable called WEB_SERVERS. Then when alert comes from those subnets the localilty should show up as IN or WEB_SERVERS for example.
This can later be used on Event Action Filters when you are tunning traffic that you dont want to see on your alerts.
On 6.0 you can configure Event Variables under:
Configuration
Event Action Rules
Rules0
Event Variables Tab
Add
I hope this helps.
Raga
08-05-2011 05:12 AM
I thought that was set with the $IN and $OUT variables, but I can't find any documentation to back that up.
Yes. The "OUT" Locality is related to the IN/OUT Event Variables that were pre-defined in IDS software version 4.1. This was changed with the introduction of IPS software (5.x) to be completely user-defined. So there are a couple scenarios:
08-05-2011 05:09 AM
The locality field in all of my IPS alerts is "OUT". I have seen a few examples on the web where the value is "IN". Is there any way to influence this value? I know you can configure an Internal Zone in the anomaly detection function, but is there some way to make use of this locality field by defining internal addresses somewhere?
Luis is correct. In a default config, the Locality for all addresses will be set to 'OUT'. You can define Event Variables for specific IP address(es) and/or IP address ranges and, as a result, these variable names will appear in event Alerts as the "locality" of applicable hosts (in place of the default "OUT").
This can make reading event Alerts and comprehending what/where both Attacker and Victim(s) are easier (in the same manner that DNS does by providing a more "human-friendly" format with names instead of simply IP addresses).
You can define Event Variables via the sensor's CLI and/or via IDM/IME. CLI config example:
sensor# conf t
sensor(config)# service event-action-rules rules0
sensor(config-rul)# variables WEB_SERVERS address 192.168.0.10-192.168.0.20
sensor(config-rul)# exit
Apply Changes:?[yes]: yes
08-08-2011 01:44 PM
Thanks, this is exactly what I want - to define my internal range for alerts. Just to be clear: If I define an event variable named "IN" that is 10.0.0.0-10.255.255.255, do I then need an Event Action Filter defined referenceing "$IN" ? I see the examples defining a variable, but it's not clear to me what else I need to do to make the locality change from OUT to IN.
08-08-2011 01:49 PM
You can do Variables without having to use them in filters. They are indepedant of each other.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide