To block Internet worms and exploit attacks, configure a content filter. The Barracuda NG Firewall provides a set of predefined content filters that can be referenced by the firewall rule set. Network connection types (for example, SMTP) that are specified in the service or Service Object of firewall rules are checked for patterns that are configured in the content filters. Detected network attacks are logged in the <fw>_Content log file for later review. The source and destination address and the associated network interfaces or firewall rule actions are stored in the corresponding filter log (for example, [sqlslammer]).
You can edit existing filters or add new filters. You can also create filter groups.
In this article:
Configure a Filter
- Open the Forwarding Rules page (CONFIG > Full Config > Virtual Servers > your virtual server > Firewall).
- In the left navigation pane, click on Generic IPS Patterns.
- Create a new filter or select an existing filter to edit:
- To create a new filter, right-click the lower table and select New.
- To edit an existing filter, double-click its name in the lower table.
- Enter or edit the descriptive Name for the filter.
- From the Service list, select the service to be filtered.
In the Description field, you can enter additional information about the filter.
- Configure the patterns for the filter:
- To edit an existing pattern, select it from the table and click Edit.
- To create a new pattern, click New.
The Pattern window opens.
You can edit the following pattern settings:
The pattern name.
Which direction of traffic/stream is affected. You can select one of the following directions:
- To Server – Incoming traffic/stream.
- To Client – Outgoing traffic/stream.
Any additional information about the pattern.
The search pattern for the object that the stream is scanned for.
The pattern type. You can select any of the following pattern types:
Binary Pattern List of hexadecimal digit pairs separated with a space. The above screenshot of the Pattern window displays an example for a binary pattern (SQL slammer).
ASCII Pattern + Wildcards(*,?,)
* – represents a variable number of characters including an empty string (space)
? – matches exactly one character. […] – matches only the characters that are enclosed within the brackets.
Example pattern: ??attack*##
Match on the following: 200attacking##
Mismatch on the following: 500attackers##
Enables a reporting only mode for individual patterns. You can select one of the following actions:
- Terminate Session – Causes session termination when the pattern matches.
- Create Log Entry – Triggers log entry generation only.
Ending Offset The number of bytes from the connection start that are scanned to find the pattern.
- Click OK.
Configure a Filter Group
Open the Forwarding Rules page (CONFIG > Full Config > Virtual Servers > your virtual server > Firewall).
- In the left navigation pane click on Generic IPS Patterns.
- Click Lock.
- Create a new group or select an existing group to edit:
- To create a new filter, right-click the upper table and select New.
- To edit an existing group, double-click its name in the upper table. The Filter Group window opens:
- You can edit the following group settings:
- Name – The group name.
- Description – Any additional information about the filter group.
- Filter Name – Table that lists each filter that is included in the group. You can add or delete filters.
- To add a filter, select it from the filter list and click Add.
- To delete a filter, select it and click the Delete.
- Click OK.
Referencing within the Corresponding Rules
When a pattern for content filtering was successfully applied to a service, the service, when selected in context with a firewall rule, will now automatically apply this pattern to the rule.