Link Search Menu Expand Document

Signature Profiles

Signature profiles enable you to configure rules that are downloaded from the Cloud Portal. Orchestrator provides the following default signature profiles:

  • For the 4.x signature family, the Default signature profile

  • For the 5.x signature family, the Default_S5 signature profile

These default profiles include default settings for the signature rules. Default profiles are automatically used across all appliances. You can create additional signature profiles and override default rule settings by choosing different actions as needed.

By default, all rules included in the signatures list are enabled on all appliances where IPS is enabled. The default action is to drop traffic when a rule is triggered. However, for certain traffic or in some other cases, you might want to specify different actions for IPS to take.

  1. To open the Signature Profiles tab, click Signature Profiles on the Intrusion Detection/Prevention tab (Configuration > Overlays & Security > Security > IDS/IPS).

    img

  2. Select the appropriate signature family from the Signature Family drop-down list.

    NOTE: You can apply profiles for the 5.x signature family only to appliances with IPS engine version 6.x or later.

  3. Initially, the Profile field indicates that rules for the default signature profile (either Default for the 4.x signature family or Default_S5 for the 5.x signature family) are displayed on this tab. To change the displayed signature profile, select the appropriate profile from the Profile drop-down list.

    To create signature profiles, see Create a Signature Profile below.

  4. Use the Filter Rules field above the table to filter the list of rules. You can also use the filters to the right of the field to view rules by affected products, rule category, severity, and/or action.

  5. To set the response for a specific rule, select one of the following actions from the drop-down list in the Action column. For multiple rules, select the appropriate rule rows in the table, and then select an action from the Bulk Edit Filtered Rules drop-down list.

    • Drop: Drop the traffic when a matching signature condition exists for the source, destination, or both.

    • Inspect: Continue the traffic flow to the destination after inspecting the traffic and raising an event for matching signature. This action detects the anomaly.

    • Allow: Excludes the rule from participating in IDS/IPS, rendering it no longer part of IDS/IPS processing.

    You can apply profiles to your appliances by clicking the Apply Profile link. For details, refer to the help information for the Intrusion Detection/Prevention tab.

Create a Signature Profile

When you create a signature profile, it will be selectable from the Profile drop-down list. Then you can change the rule actions for that profile as needed.

  1. On the Signature Profiles tab, select the appropriate signature family from the Signature Family drop-down list

  2. Click the edit icon associated with the Profile field.

    The Signature Profiles dialog box opens.

  3. Click + Add.

    The Add Signature dialog box opens.

  4. Verify that the appropriate signature family is indicated.

  5. In the Profile Name field, enter a signature profile name, and then click Ok.

    The new signature profile displays on the Signature Profiles dialog box.

    NOTE: If your newly created signature profile is based on signature family 5.x (or when previously existing signature profiles based on signature family 4.x are migrated during ECOS upgrade), Orchestrator appends the profile name you provided with _S5. For example, if the profile name is BankCo, Orchestrator changes it to BankCo_S5.

  6. Click Save.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America