You may be familiar with the "top-down" matching approach from the world of firewalls. When a firewall encounters
Requires Free Membership to View
SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!
Michael S. Mimoso, Editorial Director
new traffic, it starts at the top of its rule base and checks each rule to see if it matches the traffic. When the firewall finds a match, it performs the specified action and stops checking. Even if traffic matches more than one firewall rule, it will only be affected by the rule base's highest priority rule: the one that is first from the top.
IPS sensors typically use the same methodology: they process intrusion signatures beginning at the top of the list and then perform the action specified in the first matching rule. For this reason, it's important for every organization to sort its IPS signatures so that the most important rules are at the top. That way, when a packet matches multiple signatures, you'll be certain that the highest priority rule dictates the IPS response. Sorting your rules in this manner is a fairly simple process. In fact, the easiest way to approach this problem is to order them by the severity of the response: place all of your "reject" rules at the top of the list, followed by your "alert" rules, followed by your "allow" rules. This will ensure that the strongest applicable response takes priority.
This was first published in February 2009