Active Protection System (APS) Version 8
CounterSnipe’s Active Protection System (APS) Version 8, released in April 2015, is a state-of-the-industry IDS/IPS System that leverages the Suricata Engine, the high performance scalability of the Ubuntu 14.04 (LTS) Operating System, and the incorporation of the Emerging Threats ET Pro Ruleset. This new development takes CounterSnipe to the forefront of Next Generation IDS/IPS technology to address ongoing information protection.
Suricata is a high performance Network IDS/IPS Engine. Suricata gathers and compares all attack data within the database of rules and signatures and raises alerts accordingly. Suricata’s multi-threaded architecture can support high performance multi-core and multi-processor systems. The major benefit of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide the IDS/IPS workload, based on where the processing needs are. The engine is built to utilize the increased processing power offered by the latest multi-core CPU chip sets. Suricata is Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Amar Rathore, SVP CounerSnipe is an OISF Board Member.
UBUNTU 14.04 LTS
ETPRO™ RULESET: Both IDS and IPS software appliances rely on a set of signatures/rules that define bad network traffic. Emerging Threats developed comprehensive IDS/IPS rules to combat Advanced Persistent Threats & Malware. The ETPro Ruleset Research Team pushes 20 to 30 new malware and vulnerability ruleset updates, each day, to CounterSnipe engines. ETPro™ and the ET design are trademarks of Emerging Threats Pro, LLC.
Surrounding Asset Knowledge (SAK)
Surrounding Asset Knowledge (SAK): CounterSnipe introduced a new capability called Surrounding Asset Knowledge (SAK). Its purpose is to gather information about what hosts, applications and vulnerabilities are present on your network and to use this information to dramatically reduce the number of false and irrelevant alerts that might otherwise be generated for a given set of hosts and signatures. In practice, this is not so much about reducing the total number of events that you process, but about arranging for the alerts that are generated to be about actual exploits of installed software. This becomes even more important in the case of Intrusion Prevention Systems (IPS), where devices are deployed in-line to detect and drop any bad traffic such as port scans, SQL injection attacks or other policy driven prohibitions.
Asset Database: This database contains a list of hosts detected on the network, applications detected on those hosts and, where relevant, information about whether the host is believed to be compromised and whether to suppress alerts for specific signatures. Hosts and applications can only enter the database through automatic detection, while the compromise flag and signature suppressions are set either automatically through alert handling, or by hand through the web interface where desired. The host database can be browsed by clicking on ’Hosts’ in the ’Analysis’ menu. In addition to providing access to the accumulated state information that is used by the alert mitigator, this interface provides a means to find a list of hosts on your network that are in urgent need of attention.
MAC Based Asset Blocking
MAC Based Asset Blocking: Once enabled, this function will block any access by a MAC address that is not already known to the system. This is in addition to the IP based blocking.