Configuring intrusion prevention system

Intrusion prevention system overview

Kerio Control integrates Snort, an intrusion detection and prevention system (IDS/IPSAn intrusion detection and prevention system that detects malicious activities in the network.) protecting the firewall and the local network from known network intrusions.

A network intrusion is network traffic that impacts the functionality or security of the victim-host. A typical attribute of intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply by traffic rules. Let us use Denial of Service intrusion as an example — too many connections are established on a port to use up the system resources of the server application so that no other users can connect. However, the firewall considers this act only as access to an allowed port.

Note that:

Configuring intrusion prevention

  1. In the administration interface, go to Intrusion Prevention.
  2. Check Enable Intrusion Prevention.
  3. Leave Severity levels in the default mode. Kerio Control distinguishes three levels of intrusion severity:
  • High severity — Activity where the probability of a malicious intrusion attempt is very high (e.g. Trojan horse network activity).
  • Medium severity — Activity which is considered as suspicious (for example, traffic by a non-standard protocol on the standard port of another protocol).
  • Low severity — Network activity which does not indicate immediate security threat (for example, port scanning).
  1. Click the On the Kerio website, you can test these settings link to test the intrusion prevention system for both IPv4 and IPv6Version 6 of the Internet Protocol.. During the test, three fake harmless intrusions of high, middle, and low severity are sent to the IP addressAn identifier assigned to devices connected to a TCP/IP network. of your firewall.
  2. Click Apply.

The Security log will report when the firewall identifies and blocks an intrusion.

Configuring ignored intrusions

In some cases, legitimate traffic may be detected as an intrusion. If this happens, define an exception for the intrusion:

  1. In the administration interface, go to the Security log.
  2. Locate the log event indicating the filtered traffic. For example: "IPS: Alert, severity: Medium, Rule ID: 1:2009700 ET VOIP Multiple Unauthorized SIPSession Initiation Protocol - Communication protocol used for voice and video calls in Internet telephony or private IP telephone systems. Responses"
  3. Copy the rule ID number.
  4. In the administration interface, go to Intrusion Prevention.
  5. Click Advanced.
  6. In the Advanced Intrusion Prevention Settings dialog, click Add.
  7. Paste the rule ID number and a description.
  8. Click OK and Apply.

The legitimate traffic is allowed now.

Configuring protocol-specific intrusions

Some intrusions may target security weaknesses in specific application protocols. Therefore, some security rules are focused on special protocols on standard and frequently used ports.

If an application is available from the Internet and uses any of the listed protocols on a non-standard port (for example, HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. on port 10000), add this port to list of ports on which protocol-specific intrusions are detected:

  1. In the administration interface, go to Intrusion Prevention.
  2. Click Advanced.
  3. In the Advanced Intrusion Prevention Settings dialog, find the desired service (HTTP in our example).
  4. Double-click the selected row and add the port (10000 in our example).
  5. Click OK and Apply.

The service running on the non-standard port is now protected by the protocol-specific intrusions.

IP blacklists

Kerio Control is able to log and block traffic from IP addresses of known intruders (so called blacklists). Such method of detection and blocking of intruders is much faster and also less demanding than detection of the individual intrusion types. However, there are also disadvantages. Blacklists cannot include IP addresses of all possible intruders. Blacklists may also include IP addresses of legitimate clients or servers. Therefore, you can set the same actions for blacklists as for detected intrusions.

Automatic updates

For correct functionality of the intrusion detection system, update databases of known intrusions and intruder IP addresses regularly.

Under normal circumstances there is no reason to disable automatic updates — non-updated databases decrease the effectiveness of the intrusion prevention system.


Automatic updates are incremental. If you need to force a full update, click Shift + Update now.


For database updates, a valid Kerio Control license or a registered trial version is required.