Intrusion Prevention System (IPS)
Last updated
Last updated
In addition to the Contextual Machine-Learning based engine, open-appsec provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number.
When defining a new Web Application or a new Web API asset to protect, IPS was already defined to enforce its security as part of step 3 of the wizard. However - a security administrator may choose to fine tune the default behavior of the IPS engine.
Once the asset edit window opens, select the Threat Prevention tab and scroll to the Intrusion Prevention sub-practice.
The settings allow:
Changing which protections will be active according to their:
Performance Impact
Severity
Year of the CVE they protect against
Changing the exact behavior upon detection of signature according to its confidence level (Prevent/Detect/Inactive, or, According to Practice when there is no unique behavior to the group of protections)
When making the first change to the default Web Application/API Best Practice's configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name
Setting the Mode to As Top Level means inheriting the primary mode of the practice.
Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.
You can also set up a specific action per confidence level of the the protection that caught the attack. According to Practice mode means the sub-practice's mode determines the action. But you can set up Detect/Prevent/Disable specifically for that group of protections per confidence level. For example - the default configuration of the IPS sub-practice configures that Low confidence protections will be set to "Detect" mode, unrelated to the general IPS mode.
Click Enforce above the top banner of the open-appsec portal.