Attack Patterns

The Network Protection > Intrusion Prevention > Attack Patterns tab contains IPS rules grouped according to common attack patterns. Attack patterns have been combined as follows:

  • Operating system specific attacks: Attacks trying to exploit operating system related weaknesses.
  • Attacks against servers: Attacks targeted at all sorts of servers (for example, webservers, mail servers, and so on).
  • Attacks against client software: Attacks aimed at client software such as web browsers, mutimedia players, and so on.
  • Protocol anomaly: Attack patterns look out for network anomalies.
  • Malware: Software designed to infiltrate or damage a computer system without the owner's informed consent (for example, trojans, DoSClosed Denial of Service communication tools, and the like).

To improve performance, you should clear the checkboxes that do not apply to services or software employed in your local networks. For example, if you do not operate a webserver in your local network, you can cancel the selection for HTTP servers.

For each group, the following settings are available:

Action: By default, each rule in a group has an action associated with it. You can choose between the following actions:

  • Drop: The default setting. If an alleged attack attempt has been determined, the causing data packets will be dropped.
  • Alert: Unlike the Drop setting, critical data packets are allowed to pass the gateway but will create an alert message in the IPS log.

Note – To change the settings for individual IPSClosed Intrusion Prevention System rules, use the Modified Rules box on the Intrusion Prevention > Advanced tab. A detailed list of IPS rules used in Sophos UTM 9 is available at the Sophos webserver.

Rule age: By default, IPS patterns are restricted to those dating from the last 12 months. Depending on individual factors like overall patch level, legacy systems, or other security requirements, you can select another time span. Selecting a shorter time span will reduce the number of rules and thus improve performance.

Add extra warnings: When this option is selected, each group will include additional rules increasing the IPS detection rate. Note that these rules are more general and vague than the explicit attack patterns and will therefore likely produce more alerts. For that reason, the default action for these rules is Alert, which cannot be configured.

Notify: When this option is selected, a notification is sent to the administrator for every IPS event matching this group. Note that this option only takes effect if you have enabled the notification feature for the intrusion prevention system on the Management > Notifications > Notifications tab. In addition, what type of notification (i.e., email or SNMP trap) is to be sent depends on the settings made there. Note further that it might take up to five minutes before changes of the notification settings will become effective.