Rules Generation
Binaries on Backend
Rules Preprocessor
input: Emerging Threat's rule sets
output: Rules Pool (with initial weight)
We will review and update Emerging Threat rules regularly.
Rules Generator
input: network flow meta data, alerts, bad ip list, bad domain list, Rules Pool
output: selected IDS rules and firewall rules
The network flow meta data, alerts, bad ip list, bad domain list will be used to update the weight of the rules specific to the user's network.
Then this module will perform IDS Rules Selection and Firewall Rules Generation.
IDS Rules Selection
We analyzed sample office traffics and assign initial weights to Emerging Threat's rule sets. The output is a Rules Pool. This preprocessing will be applied after each Emerging Threat's rule sets update.
The weight will be updated again using a specific router's network flow meta data. Factors affecting weight of rule:
- network flow meta data features match rule
- whether services (by port) is in use
- whether alerts have been triggered
- bad IP list
- bad domain list
The selected IDS rules affects what traffic will trigger an alert which will in turn affect firewall rules generation.
Firewall Rules Generation
Factors affecting firewall rule generation:
- network flow meta data features match rule
- whether ids alerts have been triggered
- bad IP list
- bad domain list
Format of firewall rules
| Chain | Protocol | Source Address | Source Port | Destination Address | Destination Port | Action | Priority | Remarks |
|---|---|---|---|---|---|---|---|---|
| Input | tcp | Any | Any | 10.10.10.0/24 | 22 | Drop | 99 | Set by user |
| Input | tcp | 10.10.0.0/16 | Any | 192.168.0.0/24 | 22 | Drop | 30 | sid 12321 |
| Input | tcp | 10.10.1.0/24 | Any | 192.168.0.0/24 | 22 | Allow | 40 | sid 12321 |
| Input | tcp | 10.10.0.0/16 | Any | 192.168.0.0/24 | 443 | Allow | 30 | sid 12321 |
| Forward | Any | Any | Any | 5.57.226.202 | Any | Drop | 30 | bad domain: bankingsecure.webcindario.com |
| Forward | Any | Any | Any | 194.190.139.47 | Any | Drop | 30 | bad domain: ria.ru |
| Forward | Any | Any | Any | 102.88.10.10 | Any | Drop | 30 | bad ip: 102.88.10.10 |
In router it is serialized as a comma separated values (CSV) file
# Chain, Protocol, Source Address, Source Port, Destination Address, Destination Port, Action, Priority, Remarks
Forward, Any, Any, Any, 5.57.226.202, Any, Drop, 30, bad domain: bankingsecure.webcindario.com
Forward, Any, Any, Any, 194.190.139.47, Any, Drop, 30, bad domain: ria.ru
Forward, Any, Any, Any, 102.88.10.10, Any, Drop, 30, bad ip: 102.88.10.10
These rules are to be applied by the router, for example with iptables:
iptables -I FORWARD 1 -d 194.190.139.47 -j DROP
iptables -I FORWARD 1 -d 5.57.226.202 -j DROP
iptables -I FORWARD 1 -d 102.88.10.10 -j DROP
- TP-Link should specify the chain for adding firewall rules
- The priority of the firewall rules could be used as a hint for assigning
iptables's index