Rules Life Cycle¶
Each IDS Rule has a life cycle, this cycle starts by the creation of the rule and assignment of a unique SID (signature ID) to it, and a revision number.
Each time a Cyber Security Analyst or a Security Engineer update this rule to improve its detection logic, it will be assigned a new revision number.
Publicly available IDS Ruleset like Emerging Threats follow this methodology, each time a rule gets improved, it will be published with the same SID but with a new revision number.
All of those rules are published in text files, this makes tracking those changes time consuming, moreover some of the Security Teams follow QA procedures that require the inspection of these new IDS Rules before deploying this to production, which again is very hard when dealing with text files.
To solve those issues, IDSTower tracks rules SID and revisions and assign each IDS Rule one of four statuses:
Enabled: Means the rule is enabled and will be deployed to the IDS Hosts.
Disabled: Means the rule is disabled and it will not be deployed to the IDS Hosts, moreover if you import a new revision of this rule (via Feeds or files) it will be assigned Disabled status as well, this is to make sure that when you disable a rule, it won’t be re-enabled in future rules updates.
Expired: This status is assigned to old revision of a rule, when IDSTower updates the rules (via feeds or files) and encounter a new revision, it will assign the old revision an expired status, a rule with expired status won’t be deployed to IDS Hosts, please note that this behavior is configurable.
Review: Means the IDS Rule is waiting to be manually reviewed by Analyst/Engineer, you can configure IDSTower to assign “Review” status to new rules (identified by new SID) or new revisions.
Next, we will see features offered by the IDS Rules Management interface