Table of contents

Configure intrusion prevention rules

Perform the tasks in the sections below to configure and work with intrusion prevention rules.

For an overview of the intrusion prevention module, see Block exploit attempts using intrusion prevention.

The intrusion prevention rules list

The Policies page provides a list of intrusion prevention rules. You can search for intrusion prevention rules, and open and edit rule properties. In the list, rules are grouped by application type, and some rule properties appear in different columns.

The TippingPoint column contains the equivalent Trend Micro TippingPoint rule ID. In the Advanced Search for intrusion prevention, you can search on the TippingPoint rule ID. You can also see the TippingPoint rule ID in the list of assigned intrusion prevention rules in the policy and computer editor.

To see the list, click Policies, and then below Common Objects/Rules click Intrusion Prevention Rules.

Intrusion prevention license types

The Rule Availability column provides information about the available license types for the rule. Endpoint & Workload indicates this rule can be assigned under both Endpoint Security and Workload Security licenses. Workload rule availability means the rule can only be assigned when the license type is Workload.

The license type is Endpoint if all of the assigned rules have Endpoint & Workload rule availability, and it is Workload if at least one of the assigned rules has Workload rule availability.

View information about intrusion prevention rules

The properties of intrusion prevention rules include information about the rule and the exploit against which it protects. You can view this information as follows:

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.

General Information

  • Name: The name of the intrusion prevention rule.
  • Description: The description of the intrusion prevention rule.
  • Minimum Agent/Appliance Version: The minimum version of the agent required to support this intrusion prevention rule.

Details

Clicking New (New icon) or Properties (Properties icon) displays the Intrusion Prevention Rule Properties window.

Intrusion Prevention Rules from Trend Micro are not directly editable through Workload Security. Instead, if the Intrusion Prevention Rule requires (or allows) configuration, those configuration options are available on the Configuration tab. Custom Intrusion Prevention Rules that you write yourself are editable, in which case the Rules tab is visible.

  • Application Type: The application type under which this intrusion prevention rule is grouped.

    You can edit application types from this panel. When you edit an application type from here, the changes are applied to all security elements that use it.

  • Priority: The priority level of the rule. Higher priority rules are applied before lower priority rules.

  • Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of intrusion prevention rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. See Administration > System Settings > Ranking.
  • CVSS Score: A measure of the severity of the vulnerability according, as per the National Vulnerability Database.

Identification (Trend Micro rules only)

  • Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist).
  • Issued: The date the rule was released. This does not indicate when the rule was downloaded.
  • Last Updated: The last time the rule was modified either locally or during Security Update download.
  • Identifier: The rule's unique identification tag.

View information about associated vulnerability (Trend Micro rules only)

Rules that Trend Micro provides can include information about the vulnerability against which the rule protects. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. For information on this scoring system, see the CVSS page at the National Vulnerability Database.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Vulnerabilities tab.

Assign and unassign rules

To apply intrusion prevention rules during agent scans, you assign them to the appropriate policies and computers. When the rule is no longer necessary because the vulnerability has been patched you can unassign the rule.

If you cannot unassign intrusion prevention rules from a Computer editor, it is likely because the rules are currently assigned in a policy. Rules assigned at the policy level must be removed using the Policy editor and cannot be removed at the computer level.

When you make a change to a policy, it affects all computers using the policy. For example, when you unassign a rule from a policy you remove the rule from all computers that are protected by that policy. To continue to apply the rule to other computers, create a new policy for that group of computers. See Policies, inheritance, and overrides.

To see the policies and computers to which a rule is assigned, see the Assigned To tab of the rule properties.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > General. The list of rules that are assigned to the policy appear in the Assigned Intrusion Prevention Rules list.
  3. Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
  4. To assign a rule, select it.
  5. To unassign a rule, deselect it.
  6. Click OK.

Additionally, there is a subset of Intrusion Prevention Rules to ensure protection against known vulnerability issues called core Endpoint & Workload rules. These rules are available for all license types, and can be easily assigned and unassigned altogether:

  1. On the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > General. Rules that are assigned to the policy appear in the Assigned Intrusion Prevention Rules list.
  3. Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
  4. To assign rules, select Rule Selection, and click Select all Core Endpoint & Workload Rules in the toolbar.
  5. To unassign rules, select Rule Selection, and click Deselect all Core Endpoint & Workload Rules in the toolbar.
  6. Click OK.

Automatically assign core Endpoint & Workload rules

Workload Security assigns all core Endpoint & Workload rules to this policy whenever Rule Updates happens. Manually unassigned core Endpoint & Workload rules remain unassigned after Rule Updates.

  1. On the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > General. Rules assigned to the policy appear in the Assigned Intrusion Prevention Rules list.
  3. Switch Implement core Endpoint & Workload rules automatically to Yes.
  4. Click Save.

You should enable this with the Endpoint Security license; and turn this feature off and use Recommendation scans With the Workload Security license, disable this and instead use Recommendation scans.

Automatically assign updated required rules

Security updates can include new or updated application types and intrusion prevention rules which require the assignment of secondary intrusion prevention rules. Workload Security can automatically assign these rules if they are required. You enable these automatic assignments in the the policy or computer properties.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention > Advanced.
  3. To enable the automatic assignments, in the Rule Updates area, select Yes.
  4. Click OK.

Configure event logging for rules

Configure whether or not events are logged for a rule, as well as whether or not to include packet data in the log.

Note that Workload Security can display X-Forwarded-For headers in intrusion prevention events when they are available in the packet data. This information can be useful when the agent is behind a load balancer or proxy. The X-Forwarded-For header data appears in the event's Properties window. To include the header data, include packet data in the log. In addition, rule 1006540 Enable X-Forwarded-For HTTP Header Logging must be assigned.

Since it would be impractical to record all packet data every time a rule triggers an event, Workload Security records the data only the first time the event occurs within a specified period of time. The default time is five minutes, however you can change the time period using the Period for Log only one packet within period property of a policy's Advanced Network Engine settings. See Advanced Network Engine Options.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. On the General tab, go to the Events area and select the desired options:
    • To disable logging for the rule, select Disable Event Logging.
    • To log an event when a packet is dropped or blocked, select Generate Event on Packet Drop.
    • To include the packet data in the log entry, select Always Include Packet Data.
    • To log several packets that precede and follow the packet that the rule detected, select Enable Debug Mode. Use debug mode only when your support provider instructs you to do so.

Additionally, to include packet data in the log, the policy to which the rule is assigned must allow rules to capture packet data:

  1. On the Policies page, open the policy that is assigned the rule.
  2. Click Intrusion Prevention > Advanced.
  3. In the Event Data area, select Yes.

Generate alerts

Generate an alert when an intrusion prevention rule triggers an event.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab, and in the Alert area select On.
  4. Click OK.

Setting configuration options (Trend Micro rules only)

Some intrusion prevention rules that Trend Micro provides have one or more configuration options such as header length, allowed extensions for HTTP, or cookie length. Some options require you to configure them. If you assign a rule without setting a required option, an alert is generated that informs you about the required option. This also applies to any rules that are downloaded and automatically applied by way of a Security Update.

Intrusion prevention rules that have configuration options appear in the Intrusion Prevention Rules list with a small gear over their icon Intrusion Prevention rules icon.

Custom intrusion prevention rules that you write yourself include a Rules tab where you can edit the rules.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Configuration tab.
  4. Configure the properties and then click OK.

Schedule active times

Schedule a time during which an intrusion prevention rule is active. Intrusion prevention rules that are active only at scheduled times appear in the Intrusion Prevention Rules page with a small clock over their icon Intrusion Prevention Rules icon with clock.

With agent-based protection, schedules use the same time zone as the endpoint operating system. The configuration performed in the following procedure affects all policies.

For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab.
  4. In the Schedule area, select New or select a frequency.
  5. Edit the schedule as required.
  6. Click OK.

Exclude from recommendations

Exclude intrusion prevention rules from rule recommendations of recommendation scans.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab.
  4. In the Recommendations Options area, select Exclude from Recommendations.
  5. Click OK.

Set the context for a rule

Set the context in which the rule is applied.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Click the Options tab.
  4. In the Context area, select New or select a context.
  5. Edit the context as required.
  6. Click OK.

Override the behavior mode for a rule

Set the behavior mode of an intrusion prevention rule to Detect when testing new rules. In Detect mode, the rule creates a log entry prefaced with the words "detect only:" and does not interfere with traffic. Some intrusion prevention rules are designed to operate only in Detect mode. For these rules, you cannot change the behavior mode.

If you disable logging for the rule, the rule activity is not logged regardless of the behavior mode.

For more information about behavior modes, see Use behavior modes to test rules.

The configuration performed in the following procedure affects all policies. For information about configuring a rule for one policy, see Override rule and application type configurations.

  1. Click Policies > Intrusion Prevention Rules.
  2. Select a rule and click Properties.
  3. Select Detect Only.

Override rule and application type configurations

From a Computer or Policy editor, you can edit an intrusion prevention rule so that your changes apply only in the context of the policy or computer. You can also edit the rule so that the changes apply globally so that the changes affect other policies and computers that are assigned the rule. Similarly, you can configure application types for a single policy or computer, or globally.

  1. Go to the Policies page, right-click the policy to configure and click Details.
  2. Click Intrusion Prevention.
  3. To edit a rule, right-click the rule and select one of the following commands:
    • Properties: Edit the rule only for the policy.
    • Properties (Global): Edit the rule globally, for all policies and computers.
  4. To edit the application type of a rule, right-click the rule and select one of the following commands:
    • Application Type Properties: Edit the application type only for the policy.
    • Application Type Properties (Global): Edit the application type globally, for all policies and computers.
  5. Click OK.

When you select the rule and click Properties, you are editing the rule only for the policy that you are editing.

You cannot assign one port to more than eight application types. If you do, the rules cannot function on that port.

Export and import rules

You can export one or more intrusion prevention rules to an XML or CSV file, and import rules from an XML file:

  1. Click Policies > Intrusion Prevention Rules.
  2. To export one or more rules, select them and click Export > Export Selected to CSV or Export > Export Selected to XML.
  3. To export all rules, click Export > Export to CSV or Export > Export to XML.
  4. To import rules, click New > Import From File and follow the instructions on the wizard.