Default Signature

In Default Signature, you can choose to either enable or disable each signature provided by AhnLab for signature-based detection or block of network infiltration and web-related threats.

You can check the following in Default Signature.

• Adding, editing, and deleting default signature to use in policy
• Searching default signature

Add a default signature to use in policy

Follow the steps below to add a default signature provided by AhnLab to use in IPS policy.

Note

Click Default on the bottom of the screen to apply the default value.

1. Click Policy.
2. Select Policy > Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Default Signature and click Assign. If a signature already exists in the default signature list, you can download the custom signature as a .csv file by clicking the download button.
5. Check default signature list from <Add a Default IPS Signature> and configure its usage. To only check the signature to search in the list, choose to enable or disable signature, enter SID or signature name, and CVE code in the search entry and click Search ().
   

• Enable: Select a signature to use and click it to add it to IPS policy.
• Disable: Select a signature to use and click it to remove it from IPS policy.
• Column Settings: You can set columns to display on the default signature list. Click Column Settings () to select columns to show on the list of the screen.
• See signature details (): You can check details of a signature. The layout of the details page is slightly different for each signature type.
  

• Vulnerability Name: This is the name of a vulnerability which is the cause of network infiltration. It is also the signature name of the default signature screen.
• Category: An area related to the vulnerability.
• Vulnerability Code: The publicly known CVE (Common Vulnerabilities and Exposures) code value of the vulnerability.
• Severity: Risk severity of the vulnerability.
• Infection/Install Path: The path of malware installation/infection caused by vulnerability.

• Influence: The type of the attack derived from the vulnerability.
• Affected Product: The name of the application under attack due to the vulnerability.
• Summary: Brief description of the vulnerability.
• Symptoms and summary: Description of the aspect of the attack that derived from the vulnerability and its characteristics.
• Details: Detailed description of the vulnerability and response against it.
• Response: The response against the vulnerability.
• Reference: The user can access this path to acquire more information on the vulnerability.

Note

The CVE code consists of CVE - Year - Vulnerability identification code. For more information, visit http://cve.mirte.org.

• Status: Whether the signature will be enabled and added to the IPS policy. If the signature is in use, Enabled () will be displayed, and if the signature is not in use, Disabled () will be displayed.
• SID: The unique value (ID) of the signature.
• Signature Name: The name of the signature.
• CVE Code: The CVE code of the signature.
• Application Type: The type of the application targeted by network infiltration.
• Protected Area: The areas which are protected when network infiltration through vulnerability is found via signature-based detection. The areas are divided into: Operating System, Server Side Application, Client Side Application, Network Protocol, DataBase.

• Operating System: Detects attack which can occur due to a vulnerability of OS.
• Server Side Application: Detects attack which can occur due to a vulnerability of a server-run web application.
• Client Side Application: Detects attack which can occur due to a vulnerability of client-run web application.
• Network Protocol: Detects attack which can occur due to a protocol vulnerability.
• DataBase: Detects attack which can occur due to a database vulnerability.

• Severity: The threat severity level of the network infiltration found with signature-based detection. The threat levels are divided into: Very High, High, Moderate, Low, and Very Low. Moderate is the default.
• Response Method: The response which is made upon detecting network infiltration via signature-based detection. Select Detect or Block.

• Detect: Only detect packets and traffics deemed as network infiltration.
• Block: Detect and block packets and traffics deemed as network infiltration.

• Block Option: Detailed signature-based block options against inbound attack derived from network infiltration. Takes effect when responding to an inbound attack with ‘block.’ If the attack meets the selected option, it is detected. The options are divided into: Source Block, Source/Destination Block, Source/Destination/Service Block, Source/Service Block, and None.

• Source Block: Only block source IP address of the inbound attack.
• Source/Destination Block: Block source IP address and destination IP address of the inbound attack.
• Source/Destination/Service Block: Block source IP address, destination IP address, and service of the inbound attack.
• Source/Service Block: Block source IP address and service of the inbound attack.
• None: Don’t set any additional block option against inbound attack.

• Save Packets: Set whether to use the feature to save the packet content upon detecting network infiltration via signature-based detection. If the feature is in use, Enabled () will be displayed.
• Recommend Signature: Set whether to use the signature added to IPS policy for signature recommendation. If the feature is in use, Enabled () will be displayed.
• Last updated on: The date of last signature info update.

6. Set the signature to add as ‘Enabled’ and click Save.
7. Check the signature list added to Default Signature screen. To group and check the signature by application type and response method, click Show all and select an item among Show by application type, Show by response method, and Show by severity.

8. Click Save. 

Note

Click Import on the top right side of the screen to import and apply a policy.

Modify a default signature to use in policy

Follow the steps below to modify a default signature provided by AhnLab to use in IPS policy.

1. Click Policy.
2. Select Policy > Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. click Default Signature, select signature to modify, and click Modify.
5. <Default Signature Name - Modify Default Signature> will appear. Modify the items as required.

• Response Method: The response which is made upon detecting network infiltration via signature-based detection. Select Detect or Block.

• Detect: Only detect packets and traffics deemed as network infiltration.
• Block: Detect and block packets and traffics deemed as network infiltration.

• Block Option: Detailed signature-based block options against inbound attack derived from network infiltration. Takes effect when responding to an inbound attack with ‘block.’ If the attack meets the selected option, it is detected. Select among Source Block, Source/Destination Block, Source/Destination/Service Block, Source/Service Block, and None.

• Source Block: Only block source IP address of the inbound attack.
• Source/Destination Block: Block source IP address and destination IP address of the inbound attack.
• Source/Destination/Service Block: Block source IP address, destination IP address, and service of the inbound attack.
• Source/Service Block: Block source IP address and service of the inbound attack.
• None: Don’t set any additional block option against inbound attack.

• Severity: The threat severity level of the network infiltration found with signature-based detection. Select among Very High, High, Moderate, Low, and Very Low.
• Detection Direction: The direction where the packets and traffics are transmitted upon detecting network infiltration via signature-based detection.

• External > Internal: Detects packets and traffics that are being transmitted from the external server to the internal server.
• Internal > External: Detects packets and traffics that are being transmitted from the internal server to the external server.
• Internal > Internal: Detects packets and traffics that are being transmitted from the internal server to the internal server.

• Attack Duration: The duration which determines if the packets and traffics that were transmitted during the network infiltration found via signature-based detection should be recognized as attack. If the number of traffics that occur within the timeframe of the attack duration exceeds the No. of Attacks threshold, the packet is deemed as a threat and is handled as per response method. Write a number between 1 to 86400 seconds for the attack duration.
• No. of Attacks: The threshold which determines if the packets and traffics that were transmitted during the network infiltration found via signature-based detection should be recognized as attack. If the number of traffics that occurred within the timeframe of the Attack Duration exceeds the No. of Attacks threshold, the packet is deemed as a threat and is handled as per response method. Write a number between 1 to 99999 for the No. of Attacks.
• Block Duration: The block duration for packets and traffics deemed as network infiltration. Works only if the response method is set as ‘Block.’ Write a number between 1 to 86400 seconds for the attack duration.

• Save Packets: Set whether to save the packet content upon detecting network infiltration via signature-based detection.
• Recommend Signature: Set whether to use the signature for signature recommendation.

6. Click OK.
7. Click Save.

Remove a default signature to use in policy

Follow the steps below to remove a default signature provided by AhnLab to From the list in IPS policy.

Note

To check signature only removed from the default signature list to use in policy, click Assign to open <Add a Default IPS Signature>.

1. Click Policy.
2. Select Policy > Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Default Signature, select a signature to remove, and click Delete on the top side of the list or Delete () on the top side of the column.
5. Once the deletion confirmation message appears, click Yes.
6. Click Save.

Search for a default signature to use in policy

You can search default signature to use in policy by entering the name of SID or signature and CVE code. Follow the steps below to search default signature.

1. Click Policy.
2. Select Policy > Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Default Signature and enter the name of SID or Signature and CVE code as search keyword.

5. Click Search ( ).
6. Check search result.

Related Information

• General
• Custom Signature