Attack Patterns

The Network Protection > Intrusion Prevention > Attack Patterns tab contains IPS rules grouped according to common attack patterns. Attack patterns have been combined as follows:

To improve performance, you should clear the checkboxes that do not apply to services or software employed in your local networks. For example, if you do not operate a webserver in your local network, you can cancel the selection for HTTP servers.

For each group, the following settings are available:

Action: By default, each rule in a group has an action associated with it. You can choose between the following actions:

Note – To change the settings for individual IPSClosed rules, use the Modified Rules box on the Intrusion Prevention > Advanced tab. A detailed list of IPS rules used in Sophos UTM 9 is available at the Sophos webserver.

Rule age: By default, IPS patterns are restricted to those dating from the last 12 months. Depending on individual factors like overall patch level, legacy systems, or other security requirements, you can select another time span. Selecting a shorter time span will reduce the number of rules and thus improve performance.

Add extra warnings: When this option is selected, each group will include additional rules increasing the IPS detection rate. Note that these rules are more general and vague than the explicit attack patterns and will therefore likely produce more alerts. For that reason, the default action for these rules is Alert, which cannot be configured.

Notify: When this option is selected, a notification is sent to the administrator for every IPS event matching this group. Note that this option only takes effect if you have enabled the notification feature for the intrusion prevention system on the Management > Notifications > Notifications tab. In addition, what type of notification (i.e., email or SNMP trap) is to be sent depends on the settings made there. Note further that it might take up to five minutes before changes of the notification settings will become effective.