What is a 'top-down' IPS sensor search?
What does it mean when an IPS sensor searches signature files in a "top-down" fashion?
You may be familiar with the "top-down" matching approach from the world of firewalls. When a firewall encounters
new traffic, it starts at the top of its rule base and checks each rule to see if it matches the traffic. When the firewall finds a match, it performs the specified action and stops checking. Even if traffic matches more than one firewall rule, it will only be affected by the rule base's highest priority rule: the one that is first from the top.
IPS sensors typically use the same methodology: they process intrusion signatures beginning at the top of the list and then perform the action specified in the first matching rule. For this reason, it's important for every organization to sort its IPS signatures so that the most important rules are at the top. That way, when a packet matches multiple signatures, you'll be certain that the highest priority rule dictates the IPS response. Sorting your rules in this manner is a fairly simple process. In fact, the easiest way to approach this problem is to order them by the severity of the response: place all of your "reject" rules at the top of the list, followed by your "alert" rules, followed by your "allow" rules. This will ensure that the strongest applicable response takes priority.
This was first published in February 2009
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.