IDS Rules Management Interface¶
The IDS Rules Management Interface will enable you to manage the IDS Rules in an easy way, it includes many features that will let you quickly search for rules, update them, …etc
We will explain various features by explaining each section in the image below
1. Rules action will let you do bulk action on selected rules, including enabling/disabling rules, you will be also able to change the rules Categories in bulk from here, check available action in the image below
2. The Add/Import button enable you to either Add a single rule, or import thousands of rules from multiple files at once, when you click on “Add/Import Rules” -> “Bulk Import Rules from file” option, you will be presented with the below screen
This screen allows you to configure rules import behavior:
New Rules Status: The status of the newly imported rule (identified by SID), if you need to manually review the newly imported rules before they get pushed to your IDS Hosts, then select “Review”, otherwise keep the option at “Enabled”
New Revision Status: The status of the newly imported rule revision, this options will control how we treat new revision of rules that already exist in IDSTower, the available options are:
Keep Current Status (Recommended): if you choose this option, IDSTower will assign the same status of the current rule revision to the newly imported one, example: if the current rule is disabled, the new revision will also be disabled.
Enabled: if you choose this option, IDSTower will set the status of the newly imported rule revision to Enabled.
Review: if you choose this option, IDSTower will set the status of the newly imported rule revision to Review, choose this option if you need to manually review new rule revisions before deploying them to the IDS Hosts.
Current Revision Status: The status to assign to the current rule revision when a new revision is imported, if you set “New Revision Status” option to Review, then you might want to set this option to “Enabled”.
Import Old Rules Revisions: Should IDSTower import old rule revisions when a newer revision already exist?, Set this option to “Yes” if you want to keep a history of rules revisions in IDSTower.
3. Rules Categories & Status filter, use those to quickly filter rules by their Category and Status.
4. Quick Actions menu to quickly change the status of individual rule, or to delete it.
5. Quick Overview on the Rules, including their SID, Revision number, Alert Message, Category, Status & Tags, note that you can also click on Status & Tags to quickly search for IDS Rules with the same status & tags.
Next, we will take a look on the IDS Rule editor interface