IPS alert "locality"

bleuenbe · ‎08-03-2011

The locality field in all of my IPS alerts is "OUT". I have seen a few examples on the web where the value is "IN". Is there any way to influence this value? I know you can configure an Internal Zone in the anomaly detection function, but is there some way to make use of this locality field by defining internal addresses somewhere?

rhermes · ‎08-03-2011

I thought that was set with the $IN and $OUT variables, but I can't find any documentation to back that up.

- Bob

raga.fusionet · ‎08-04-2011

If I'm not mistaken, when you configure Event Variables and they should be populated on your output as localities.

For example if your internal network is 192.168.0.0 / 24 you could define that as IN or if your DMZ web servers are 192.168.1.0 you could define a variable called WEB_SERVERS. Then when alert comes from those subnets the localilty should show up as IN or WEB_SERVERS for example.

This can later be used on Event Action Filters when you are tunning traffic that you dont want to see on your alerts.

On 6.0 you can configure Event Variables under:

Configuration

Event Action Rules

Rules0

Event Variables Tab

Add

I hope this helps.

Raga

Dustin Ralich · ‎08-05-2011

I thought that was set with the $IN and $OUT variables, but I can't find any documentation to back that up.

Yes. The "OUT" Locality is related to the IN/OUT Event Variables that were pre-defined in IDS software version 4.1. This was changed with the introduction of IPS software (5.x) to be completely user-defined. So there are a couple scenarios:

If no Event Variables are defined (default config), then Locality will default to "OUT" for everything.
If the sensor was upgraded from 4.1 to 5.x or later, then the old IN/OUT Event Variables will have been migrated from 4.1 and put into the sensor's config (as if they were user-configured).
If the sensor is a fresh install/re-image starting with 5.x or later, then those Event Variables are not defined by default.

Dustin Ralich · ‎08-05-2011

The locality field in all of my IPS alerts is "OUT". I have seen a few examples on the web where the value is "IN". Is there any way to influence this value? I know you can configure an Internal Zone in the anomaly detection function, but is there some way to make use of this locality field by defining internal addresses somewhere?

Luis is correct. In a default config, the Locality for all addresses will be set to 'OUT'. You can define Event Variables for specific IP address(es) and/or IP address ranges and, as a result, these variable names will appear in event Alerts as the "locality" of applicable hosts (in place of the default "OUT").

This can make reading event Alerts and comprehending what/where both Attacker and Victim(s) are easier (in the same manner that DNS does by providing a more "human-friendly" format with names instead of simply IP addresses).

You can define Event Variables via the sensor's CLI and/or via IDM/IME. CLI config example:

sensor# conf t

sensor(config)# service event-action-rules rules0

sensor(config-rul)# variables WEB_SERVERS address 192.168.0.10-192.168.0.20

sensor(config-rul)# exit

Apply Changes:?[yes]: yes

bleuenbe · ‎08-08-2011

Thanks, this is exactly what I want - to define my internal range for alerts. Just to be clear: If I define an event variable named "IN" that is 10.0.0.0-10.255.255.255, do I then need an Event Action Filter defined referenceing "$IN" ? I see the examples defining a variable, but it's not clear to me what else I need to do to make the locality change from OUT to IN.

raga.fusionet · ‎08-08-2011

You can do Variables without having to use them in filters. They are indepedant of each other.