In this article, readers will acquire the knowledge needed to know how to respond to a threat detection alert in the UniFi Network Controller.
NOTES & REQUIREMENTS:
This article applies to users who are using the Intrusion Detection/Prevention System that is available for UniFi Security Gateways (all models).
Table of Contents
- Identifying False Positives
- Suppressing a Threat Signature
- Managing Suppressed Signatures
- Blacklisting and Blocking
- Related Articles
Identifying False Positives
The Threat Detection System on UniFi gateways has thousands of signatures that are grouped into categories. Each of these categories serves a unique purpose in detecting anomalous traffic passing through the gateway interfaces. Some of these categories are more aggressive in emitting alerts for benign traffic. If a UniFi Administrator is not careful when enabling categories, the alerts can pile up for traffic that may not be particularly harmful.
The type of event or alert that is described above is known as a "false positive". The traffic may be harmless but is triggered as potentially dangerous by one or many of the signature patterns that are checked before the traffic can pass through when running intrusion prevention. For this reason, some may choose to utilize detection over prevention.
To be able to identify a false positive ask the following questions:
- Is the alert coming from a single IP or many on the network?
- Have new and/or potentially suspicious clients been added to the network recently?
- Are there recent updates to the client OS that may be causing the alert?
- Does the alert give any insight into what type of traffic this might be?
If at the end of questioning the alert it is decided that the traffic was benign, the signature can be suppressed. Signature suppression will stop the emission of alerts when using intrusion detection, and also allow that traffic to pass when using intrusion prevention.
NOTE: It is best practice to view intrusion detection as a living system. With new types of attacks and vulnerabilities, it is best to review and audit this type of system regularly.
Suppressing a Threat Signature
The signature suppression function of the Threat Detection Engine allows a UniFi Administrator to disable the alerting/blocking on particular signatures that are not known to be malicious. To suppress a signature follow these steps:
1. Navigate to the IPS Dashboard > Traffic Log tab in the controller interface.
NOTE: Signature suppression with finer granularity can also be performed from the "IPS" settings section, by navigating to Settings > IPS.
Managing Suppressed Signatures
To manage suppressed signatures navigate to Settings > IPS > Signature Suppression.
Please keep in mind that:
- Adding a signature suppression rule for all traffic will suppress the signature regardless of host IP.
- Adding a signature suppression rule with packet tracking based on traffic direction and by single IP, defined UniFi Network, or subnet of choice.
Blacklisting and Blocking
ATTENTION: Blocking and blacklisting do not discriminate for internal hosts. Use these options with caution as they can block hosts on your LAN if those hosts are the source of traffic that can trigger a signature.
1. To manage blocking and blacklisting navigate to the IPS Dashboard section and select the "Traffic Log" tab at the top.
2. Once a traffic alert has been identified for action, select the alert. A detailed popup will come up that offers options related to the alert.
Blacklist: This option in the IPS Dashboard will block traffic from the source IP that triggered the signature.
Block: This option in the IPS Dashboard will block traffic to the destination host IP and from the source host IP.
Blocking and Blacklisting are inserted as rules on the firewall. Navigate to Settings > Routing and Firewall > Firewall > WAN_IN or WAN_OUT to see.