IPS in Kerio Control


2013/07/05

You may never have even looked at IPS in Kerio Control and you may never need to. The default configuration is all that most users need and it updates itself regularly and automatically, so it is easy to forget that it's even there.

There are some areas you might want to consider adjusting, or at least know something about, so let's take a quick spin through it.

Snort

The Kerio IPS (Intrusion Prevention System) uses Snort to make decisions about possibly undesirable network activity. Note that this is outside activity: it looks at activity coming from network interfaces included in the Internet Interfaces group, not from local networks or VPN clients.

There are rules and blacklists:

Rules and blacklists in Kerio Control IPS

You can find the rules in /opt/kerio/winroute/snort/rules/used.rules. Here's an example rule:

alert tcp $EXTERNAL_NET any ->gt; $HOME_NET 2401
(msg:"ET EXPLOIT CVS server heap overflow attempt
(target Linux)"; flow: to_server,established; dsize:
>gt;512; content:"|45 6e 74 72 79 20 43 43 43 43
43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20;
threshold: type limit, track by_dst, count 1, seconds 60;
reference:url,doc.emergingthreats.net/bin/view/Main/2000048;
classtype:attempted-admin; sid:2000048; rev:5;)
 

If you want to know more about Snort, see The Snort Cookbook and The Snort User's Manual.

Note that IPS is performed BEFORE your traffic rules - you can't bypass these with traffic rules. Finally, you must be using NAT. That's the normal and default use of Kerio Control, but you should be aware that IPS doesn't work if you are not using NAT for inside addresses.

The default configuration for these IPS rules is to log and drop high severity incidents, only log medium severity, and do nothing about the low severity rules.

Many of these threats may already be patched by your operating system.. For example, consider this log entry:

[01/Jul/2013 19:12:46] IPS: Packet drop, severity: High,
Rule ID: 1:2008411 ET TROJAN LDPinch SMTP Password Report
with mail client The Bat!,

If you are running any sort of anti-virus/anti-malware software on your computers, that software is likely already very aware of that threat and is prepared to block it. So why bother with these IPS rules?

Well, your computer software may be out of date, perhaps because you just haven't had a convenient moment to do the update. The Kerio Control IPS updates itself automatically and as often as you say - by default every 24 hours, but you can make that as often as every hour if you wanted to.

Automatic updates are incremental. To force a full update, click Shift and the Update link.

If you want to see what that rule actually is, search for "2008411" in /opt/kerio/winroute/snort/rules/used.rules.

Testing the IPS

If you look in your Security log, you'll likely find IPS entries - the attacks are very common. If you have been blessed with incredibly good luck and see nothing, you can test the IPS system by clicking on "test these settings" link:


If a rule is being triggered that you do NOT want to use, you can disable it in the Advanced section:

Advanced IPS configuration

You only have to put in the sid number ("2008411" in the example above). Kerio will add the "1:"

The other part of Advanced is for protocol specific rules. Tht is, some rules refer to http like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ...
 

If you are accessing some website on a non-standard port (the expected ports are 80, 8000 - 8080 and 3128), you can add it here.

Blacklists

The other part of IPS is blacklists maintained by Emerging Threats. If you click on one of these, you'll go to the page that describes the list:

List descriptions

You might wonder (as I have) why the Russian Business Network default is "Do nothing". That's probably because there are legitimate websites in those IP ranges. On the other hand, this entry from from Wikipedia might be a part of it also:


The RBN has been described by VeriSign as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 million in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network. RBN has been known to sell its services to these operations for $600 per month.

Apparently not the kind of people you want to upset..



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> IPS in Kerio Control




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





The computer is a moron. (Peter Drucker)

Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network. (Tim Berners-Lee)








This post tagged: