IPS: Per-Rule IPS Exceptions
Extended the exceptions functionality to allow for specific rules as part of an exception.
This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.
can you change IDS to disable rules only for a specific host (source, destination) instead of completely?
This feature is included in the upcoming release, code-named Project Copernicus. It is currently in public beta. For more details, please see https://www.astaro.org/beta-versions/project-copernicus-public-beta
While not exactly implemented as requested here, the concept of granular IPS policies per rule, solves the underlying goal of this feature.
Having to define nearly duplicate IPS policies for each device/service in order to handle all the exceptions needed is far too administratively onerous, and administratively cost prohibitive so people will not do it and will render IPS alert reporting somewhat useless because of all the noise, or worse a feature that will be turned off. You should really consider a "global" or per IPS policy exception system/interface.
I'm amazed that people have been asking for this one for FIVE years and it is still NOT done!
We need it too. Please Review this request. It`s an important feature!
If this is not implemented, we at least need to be able to see more information about modified rules and the ability to add comments so we know why they're modified.
Clayton Dillard commented
This is a very much needed feature.
Jason Mougeot commented
This should be default for any IPS system! I work with Cisco IPS, Dragon, IBM ISS, SourceFire and Trendmicro systems and this is a must for proper IPS filtering.
Yeah, gread idea! This is a huuuuuge problem because of different network services published on the same IP. There's no way to handle this secure right now...
It would be great if that was implemented. At the moment you have to disable a complete rule instead of just eliminating false positives apearing inside your own network. Also as Elmar stated the exceptions are a bit useless without the possibility to combine source and destination via AND.
Bob Alfson commented
Yes, you should shift your votes over to the first one: http://feature.astaro.com/forums/17359-astaro-gateway-feature-requests/suggestions/178333-ips-granular-ips-exclusions?ref=title
I think it is a duplicate post, there is also another request like this
I agree, a v6 type configuration would be better that what's there now, but it needs to be flexible for new rules and edits to existing rules with the ability to revert an edited rule back to it's factory syntax.
There should also be a way to fetch rules files from a central location. I'm not going to pretend to know the details of that methodology, but it seems doable.
Yes, that`s what i need to! Astaro, give us this feature!!!
I'm outta votes, but we do need a way to add our own rules, as we could in Version 6. I think the current method for managing the automatic ruleset is OK,but we need the ability to add custom rules again.
Bob Alfson commented
ellell, do you mean you want to be able to write your own rules?
Elmar Haag commented
I think it would be sufficient to change the "exceptions" dialogue the conjunction "source" and "destination network" from an "OR" to an "AND"