Intrusion Detection / Prevention

Topic

This article describes the Intrusion Detection / Prevention (IdP) feature of the Datto Networking Appliance (DNA).

Environment

  • Datto Networking Appliance (DNA)

Description

To access the Intrusion Detection / Prevention card, log into the DNA web interface, and click Applications, as shown in Figure 1.

mceclip0.png
Figure 1: Applications

Once on the Applications page, click the Intrusion Detection / Prevention link. You will see the Intrusion Detection / Prevention management card shown in Figure 2.

mceclip0.png
Figure 2: Intrusion Detection / Prevention card

The Intrusion Detection / Prevention (IdP) card allows you to manage the Datto Networking Appliance's Snort Network Intrusion Detection & Prevention deep packet inspection features. The available options are:

Enable

Enables or disables Deep Packet Inspection. If you set the Enable option to Yes, an IdP tab will populate on the Recent Events card of the appliance's GUI, allowing you to view IdP events in real-time.

Response Mode

Response Mode lets you choose between the following options: Detect Only and Detect and Prevent.

  • Detect Only: Your appliance will record detected network threats to the IdP log.
  • Detect and Prevent: Your appliance will take action against detected threats, and record the event and action taken to the IdP log.

Logging

This setting lets you choose between High-risk and All Events (verbose) IdP logging.

Deep Packet Inspection uses Community Rules. Verbose logging can cause the IdP log to become flooded with events. Setting logging to High-risk disables reporting for the following preprocessor filters.

# stream5: TCP Small Segment Threshold Exceeded
suppress gen_id 129, sig_id 12

# stream5: Reset outside window
suppress gen_id 129, sig_id 15

# stream5: TCP session without 3-way handshake
suppress gen_id 129, sig_id 20

# http_inspect: LONG HEADER
suppress gen_id 119, sig_id 19

# http_inspect: UNKNOWN METHOD
suppress gen_id 119, sig_id 31

# http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

# http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
suppress gen_id 120, sig_id 7

# http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

# stream5: Data sent on stream not accepting data
suppress gen_id 129, sig_id 3

# stream5: TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 4

# stream5: Data sent on stream after TCP Reset
suppress gen_id 129, sig_id 8

# stream5: TCP Timestamp is missing
suppress gen_id 129, sig_id 14

You can learn more about the meaning of each filter by entering its gen_id and sig_id in the Snort rule doc search (external link). Enter search criteria in the format gen_id-sig_id (129-13, as an example).

Scan Mode

This setting lets you choose how the DNA prioritizes IdP:

  • Prioritize security over throughput: Select this option to set IdP for packet inspection. In this mode, the DNA will inspect the individual packets that comprise network traffic. This can slow network performance.
  • Balance throughput with security: Select this option to set IdP for flow inspection. In this setting, once a traffic flow session between a source IP address and port pair and a destination IP address and port pair is marked safe, the device stops applying inspection rules to the flow. This option is less resource-intensive.