What is a 'top-down' IPS sensor search?

If you're a firewall guru, you're probably familiar with the "top-down" signature matching approach. In this expert Q&A, Mike Chapple explains how IPS sensors have a similar method.

What does it mean when an IPS sensor searches signature files in a "top-down" fashion?

You may be familiar with the "top-down" matching approach from the world of firewalls. When a firewall encounters new traffic, it starts at the top of its rule base and checks each rule to see if it matches the traffic. When the firewall finds a match, it performs the specified action and stops checking. Even if traffic matches more than one firewall rule, it will only be affected by the rule base's highest priority rule: the one that...

is first from the top.

IPS sensors typically use the same methodology: they process intrusion signatures beginning at the top of the list and then perform the action specified in the first matching rule. For this reason, it's important for every organization to sort its IPS signatures so that the most important rules are at the top. That way, when a packet matches multiple signatures, you'll be certain that the highest priority rule dictates the IPS response. Sorting your rules in this manner is a fairly simple process. In fact, the easiest way to approach this problem is to order them by the severity of the response: place all of your "reject" rules at the top of the list, followed by your "alert" rules, followed by your "allow" rules. This will ensure that the strongest applicable response takes priority.


This was first published in February 2009

Dig deeper on Detecting and preventing network intrusions

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close