Q: How do I set up a policy on the DC to alert me or perform some other action when an IDS rule fires?
Create the elements
You might have these already set up, in which case jump to the next section. Otherwise, take a gander at these instructions:
- Create or find the IDS rule and note the SID.
- Create the alert profile that sends you an email or syslog, if you don't already have it. You'll want to have alert profiles set up that you can use wherever needed, so do it now if you haven't. To do this, go to policy/repsonses/alerts
- Configure remediation profile instances if you don't already have them. An instance might be a certain type of NMAP scan or Nessus scan. These remediations, along with the alert profiles, will be there for you to choose from later as "responses" to an IDS event. To do this:
- policy/responses/remediations
- Pick a remediation, say "NMAP scan"
- Add an instance to hold your remediations, or use your existing instance.
- In the instance, add a remediation; the name you give it is not editable and will later appear as a "remediations" choice so be terse but explanatory.
- Set up the parameters for your scan and save.
Get the rule working
policy/compliance/rule management
- Create a rule. You can put it in a group or not, it does not matter; rules are managed individually. The groups are there for you to organize your rules.
- In the rule, choose the SID and perhaps the Detection Engines that control when the rule fires. You can do other granular stuff here too, such as filtering on IP address. Have fun.
policy/compliance/policy management
- Create a policy or use one you already have. It doesn't matter; the responses will be configured per rule.
- Add the rule you just created to your policy.
- Click on "responses" next to your rule in the policy, choose one or more. This is where you will see the alerts and the responses that you configured in the first section of this instruction. Click "update" to save your choices.