IDS/IPS Profiles are used to group signatures, which can then be applied to select applications.

The default IDS profile includes critical severities and cannot be edited.

Procedure

  1. Navigate to Security > Distributed IDS > Profiles.
  2. Enter a profile name and description.
  3. Click one or more of the severities you want to include.
    See IDS Severity Ratings for more information.
  4. (Optional) Filter signatures by created by, description, ID, name, path, severity, tag, and tag scope. Toggle the button to show user modified signatures.
  5. To change the action on a specific signature, click Manage Signature(s) for Profile. Click Add.
    Action Description
    Alert An alert is generated and no automatic preventive action is taken.
    Drop An alert is generated and the offending packets are dropped.
    Reject An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

    Some IDS signatures are called “flowbits” signatures, and are used in conjunction with secondary signatures. The signature captures a particular type traffic which is fed to other signatures that trigger an alert or block action. These are purposely set to be silent (no-alert) because they would trigger noisy false positives. No signature with “flowbits:noalert” should be set to drop. See Signatures for a list of signatures that have the flow bit set to no-alert.

  6. Click Save to create the profile.

What to do next

Create IDS rules.