idps signature rule parameters

Yang, Steven 106 Reputation points
2023-09-13T11:52:40.33+00:00

Hi,

Can you confirm the signature rule severity? seems like there are discrepancy between the gui and rest api output. In general, this product is not well tested.

Also for direction=3, is it "Any" or "Bidirectional"? GUI and restapi output/documentations should be consistent.

User's image

User's image

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
472 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 39,421 Reputation points Microsoft Employee
    2023-09-14T14:51:26.3533333+00:00

    Hello @Yang, Steven ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    We've already informed the Azure Firewall Product Group team regarding the documentation bug for directions, and they have mentioned that they will be fixing it shortly.

    The values for "Direction" are as follows:

    • Outbound - 0
    • Inbound - 1
    • Bidirectional - 2
    • Internal - 3
    • Internal/Outbound - 4

    Bi-directional or Any means signature is always applied on any traffic direction (inbound/outbound irrespective of the sent from and destined to).

    enter image description here

    Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#idps-signature-rules

    You can also refer the below blog written by Azure Firewall PG, where you can see Any means both inbound and outbound:

    https://techcommunity.microsoft.com/t5/azure-network-security-blog/taking-azure-firewall-idps-on-a-test-drive/ba-p/3872706

    enter image description here

    The values for Severity are mentioned as below in the IDPS document:

    • Low (priority 3): An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.
    • Medium (priority 2): The signature indicates an attack of a suspicious nature. The administrator should investigate further.
    • High (priority 1): The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#idps-signature-rules

    And looks like the REST API doc has this reversed. I've shared this feedback as well to the Azure Firewall PG, so that they can update the same while updating the Directions.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful