Intrusion Prevention Rules

List Intrusion Prevention Rules

get/intrusionpreventionrules

Lists all intrusion prevention rules.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.listIntrusionPreventionRules([param1, param2, ...])

Python

IntrusionPreventionRulesApi.list_intrusion_prevention_rules([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.listIntrusionPreventionRules([param1, param2, ...])

Request

Security:

DefaultAuthentication

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Responses

200

successful operation

403

Not authorized to view intrusion prevention rules.

Request samples

Java
Python
JavaScript

import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;
import com.trendmicro.deepsecurity.model.IntrusionPreventionRules;


public class ListIntrusionPreventionRulesExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			IntrusionPreventionRules result = instance.listIntrusionPreventionRules(apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.listIntrusionPreventionRules");
			e.printStackTrace();
		}
	}
}

Response samples

application/json

{"intrusionPreventionRules": [{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"identifier": "string",
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"canBeAssignedAlone": true,
"dependsOnRuleIDs": [0
],
"ID": 0,
"CVSSScore": "string",
"CVE": ["string"
]
}
]
}

Create an Intrusion Prevention Rule

post/intrusionpreventionrules

Create a new intrusion prevention rule.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.createIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.create_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.createIntrusionPreventionRule([param1, param2, ...])

Request

Security:

DefaultAuthentication

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Request Body schema: application/json

The settings of the new intrusion prevention rule.

action	string Action to apply if the rule is triggered. Applicable to custom rules with template type signature or start-end-patterns. Enum: "drop" "log-only"
alertEnabled	boolean Enable to raise an alert when the rule logs an event. Searchable as Boolean.
alwaysIncludePacketData	boolean Enabled to include package data in the event logs. Not available if eventLoggingDisabled is true. Searchable as Boolean.
applicationTypeID	integer <int32> ID of the application type for the IntrusionPreventionRule. Searchable as Numeric.
caseSensitive	boolean Enable to make signatures and patterns case sensitive. Applicable to custom rules with template type signature or start-end-patterns.
condition	string Condition to determine if the rule is triggered. Applicable to custom rules with template type start-end-patterns. Enum: "all" "any" "none"
contextID	integer <int32> ID of the context in which the rule is applied. Set to 0 to remove any assignment. Searchable as Numeric.
customXML	string The custom XML used to define the rule. Applicable to custom rules with template type custom.
CVE	Array of strings List of CVEs associated with the IntrusionPreventionRule. Searchable as String.
CVSSScore	string A measure of the severity of the vulnerability according the National Vulnerability Database. Searchable as String or as Numeric.
debugModeEnabled	boolean Enable to log additional packets preceeding and following the packet that the rule detected. Not available if eventLoggingDisabled is true. Searchable as Boolean.
dependsOnRuleIDs	Array of integers <int32> IDs of intrusion prevention rules the rule depends on, which will be automatically assigned if this rule is assigned.
description	string Description of the IntrusionPreventionRule. Searchable as String.
detectOnly	boolean In detect mode, the rule creates an event log and does not interfere with traffic.
end	string End pattern of the rule. Applicable to custom rules with template type start-end-patterns.
eventLoggingDisabled	boolean Enable to prevent event logs from being created when the rule is triggered. Not available if detectOnly is true. Searchable as Boolean.
generateEventOnPacketDrop	boolean Generate an event every time a packet is dropped for the rule. Not available if eventLoggingDisabled is true. Searchable as Boolean.
lastUpdated	integer <int64> Timestamp of the last rule modification, in milliseconds since epoch. Searchable as Date.
minimumAgentVersion	string Version of the Deep Security agent or appliance required to support the rule. Searchable as String.
name	string Name of the IntrusionPreventionRule. Searchable as String.
originalIssue	integer <int64> Timestamp of the date the rule was released, in milliseconds since epoch. Searchable as Date.
patterns	Array of strings Body patterns of the rule, which must be found between start and end patterns. Applicable to custom rules with template type start-end-patterns.
priority	string Priority level of the rule. Higher priority rules are applied before lower priority rules. Searchable as Choice. Enum: "lowest" "low" "normal" "high" "highest"
recommendationsMode	string Indicates whether recommendation scans consider the IntrusionPreventionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice. Enum: "enabled" "ignored" "unknown" "disabled"
scheduleID	integer <int32> ID of the schedule which defines times during which the rule is active. Set to 0 to remove any assignment. Searchable as Numeric.
severity	string Severity level of the rule. Severity levels can be used as sorting criteria and affect event rankings. Searchable as Choice. Enum: "low" "medium" "high" "critical"
signature	string Signature of the rule. Applicable to custom rules with template type signature.
start	string Start pattern of the rule. Applicable to custom rules with template type start-end-patterns.
template	string Type of template for the IntrusionPreventionRule. Applicable only to custom rules. Enum: "signature" "start-end-patterns" "custom"
type	string Type of IntrusionPreventionRule. Searchable as Choice. Enum: "custom" "smart" "vulnerability" "exploit" "hidden" "policy" "info"

Responses

200

successful operation

403

Not authorized to create intrusion prevention rules.

Request samples

Payload
Java
Python
JavaScript

application/json

{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"dependsOnRuleIDs": [0
],
"CVSSScore": "string",
"CVE": ["string"
]
}

Response samples

application/json

{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"identifier": "string",
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"canBeAssignedAlone": true,
"dependsOnRuleIDs": [0
],
"ID": 0,
"CVSSScore": "string",
"CVE": ["string"
]
}

Search Intrusion Prevention Rules

post/intrusionpreventionrules/search

Search for intrusion prevention rules using optional filters.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.searchIntrusionPreventionRules([param1, param2, ...])

Python

IntrusionPreventionRulesApi.search_intrusion_prevention_rules([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.searchIntrusionPreventionRules([param1, param2, ...])

Request

Security:

DefaultAuthentication

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Request Body schema: application/json

A collection of options used to filter the search results.

maxItems	integer <int32> Limits the number of objects returned. Default 5000.
	Array of objects (searchCriteria) Array of search critiera used to filter objects. Searching with multiple criteria returns results that satisfy all of the criteria. Searching with no criteria returns all objects.
sortByObjectID	boolean If true, forces the response objects to be sorted by ID, overriding the default sort order. Default "false".

Responses

200

successful operation

403

Not authorized to view intrusion prevention rules.

Request samples

Payload
Java
Python
JavaScript

application/json

{"maxItems": 0,
"searchCriteria": [{"fieldName": "string",
"booleanTest": true,
"numericTest": "less-than",
"numericValue": 0,
"stringTest": "equal",
"stringValue": "string",
"stringWildcards": true,
"choiceTest": "equal",
"choiceValue": "string",
"firstDateValue": 0,
"firstDateInclusive": true,
"lastDateValue": 0,
"lastDateInclusive": true,
"nullTest": true,
"versionTest": "less-than",
"versionValue": "string",
"idValue": 0,
"idTest": "less-than"
}
],
"sortByObjectID": true
}

Response samples

application/json

{"intrusionPreventionRules": [{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"identifier": "string",
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"canBeAssignedAlone": true,
"dependsOnRuleIDs": [0
],
"ID": 0,
"CVSSScore": "string",
"CVE": ["string"
]
}
]
}

Describe an Intrusion Prevention Rule

get/intrusionpreventionrules/{intrusionPreventionRuleID}

Describe an intrusion prevention rule by ID.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.describeIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.describe_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.describeIntrusionPreventionRule([param1, param2, ...])

Request

Security:

DefaultAuthentication

path Parameters

intrusionPreventionRuleID

required

integer <int32> \d+

The ID number of the intrusion prevention rule to describe.

Example: 1

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Responses

200

successful operation

403

Not authorized to view intrusion prevention rules.

404

The intrusion prevention rule does not exist.

Request samples

Java
Python
JavaScript

import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;
import com.trendmicro.deepsecurity.model.IntrusionPreventionRule;


public class DescribeIntrusionPreventionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		Integer intrusionPreventionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			IntrusionPreventionRule result = instance.describeIntrusionPreventionRule(intrusionPreventionRuleID, apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.describeIntrusionPreventionRule");
			e.printStackTrace();
		}
	}
}

Response samples

application/json

{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"identifier": "string",
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"canBeAssignedAlone": true,
"dependsOnRuleIDs": [0
],
"ID": 0,
"CVSSScore": "string",
"CVE": ["string"
]
}

Modify an Intrusion Prevention Rule

post/intrusionpreventionrules/{intrusionPreventionRuleID}

Modify an intrusion prevention rule by ID. Any unset elements will be left unchanged.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.modifyIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.modify_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.modifyIntrusionPreventionRule([param1, param2, ...])

Request

Security:

DefaultAuthentication

path Parameters

intrusionPreventionRuleID

required

integer <int32> \d+

The ID number of the intrusion prevention rule to modify.

Example: 1

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Request Body schema: application/json

The settings of the intrusion prevention rules to modify.

action	string Action to apply if the rule is triggered. Applicable to custom rules with template type signature or start-end-patterns. Enum: "drop" "log-only"
alertEnabled	boolean Enable to raise an alert when the rule logs an event. Searchable as Boolean.
alwaysIncludePacketData	boolean Enabled to include package data in the event logs. Not available if eventLoggingDisabled is true. Searchable as Boolean.
applicationTypeID	integer <int32> ID of the application type for the IntrusionPreventionRule. Searchable as Numeric.
caseSensitive	boolean Enable to make signatures and patterns case sensitive. Applicable to custom rules with template type signature or start-end-patterns.
condition	string Condition to determine if the rule is triggered. Applicable to custom rules with template type start-end-patterns. Enum: "all" "any" "none"
contextID	integer <int32> ID of the context in which the rule is applied. Set to 0 to remove any assignment. Searchable as Numeric.
customXML	string The custom XML used to define the rule. Applicable to custom rules with template type custom.
CVE	Array of strings List of CVEs associated with the IntrusionPreventionRule. Searchable as String.
CVSSScore	string A measure of the severity of the vulnerability according the National Vulnerability Database. Searchable as String or as Numeric.
debugModeEnabled	boolean Enable to log additional packets preceeding and following the packet that the rule detected. Not available if eventLoggingDisabled is true. Searchable as Boolean.
dependsOnRuleIDs	Array of integers <int32> IDs of intrusion prevention rules the rule depends on, which will be automatically assigned if this rule is assigned.
description	string Description of the IntrusionPreventionRule. Searchable as String.
detectOnly	boolean In detect mode, the rule creates an event log and does not interfere with traffic.
end	string End pattern of the rule. Applicable to custom rules with template type start-end-patterns.
eventLoggingDisabled	boolean Enable to prevent event logs from being created when the rule is triggered. Not available if detectOnly is true. Searchable as Boolean.
generateEventOnPacketDrop	boolean Generate an event every time a packet is dropped for the rule. Not available if eventLoggingDisabled is true. Searchable as Boolean.
lastUpdated	integer <int64> Timestamp of the last rule modification, in milliseconds since epoch. Searchable as Date.
minimumAgentVersion	string Version of the Deep Security agent or appliance required to support the rule. Searchable as String.
name	string Name of the IntrusionPreventionRule. Searchable as String.
originalIssue	integer <int64> Timestamp of the date the rule was released, in milliseconds since epoch. Searchable as Date.
patterns	Array of strings Body patterns of the rule, which must be found between start and end patterns. Applicable to custom rules with template type start-end-patterns.
priority	string Priority level of the rule. Higher priority rules are applied before lower priority rules. Searchable as Choice. Enum: "lowest" "low" "normal" "high" "highest"
recommendationsMode	string Indicates whether recommendation scans consider the IntrusionPreventionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice. Enum: "enabled" "ignored" "unknown" "disabled"
scheduleID	integer <int32> ID of the schedule which defines times during which the rule is active. Set to 0 to remove any assignment. Searchable as Numeric.
severity	string Severity level of the rule. Severity levels can be used as sorting criteria and affect event rankings. Searchable as Choice. Enum: "low" "medium" "high" "critical"
signature	string Signature of the rule. Applicable to custom rules with template type signature.
start	string Start pattern of the rule. Applicable to custom rules with template type start-end-patterns.
template	string Type of template for the IntrusionPreventionRule. Applicable only to custom rules. Enum: "signature" "start-end-patterns" "custom"
type	string Type of IntrusionPreventionRule. Searchable as Choice. Enum: "custom" "smart" "vulnerability" "exploit" "hidden" "policy" "info"

Responses

200

successful operation

403

Not authorized to modify prevention rule or the requested modification is not permitted.

404

The intrusion prevention rule does not exist.

Request samples

Payload
Java
Python
JavaScript

application/json

{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"dependsOnRuleIDs": [0
],
"CVSSScore": "string",
"CVE": ["string"
]
}

Response samples

application/json

{"name": "string",
"description": "string",
"minimumAgentVersion": "string",
"applicationTypeID": 0,
"priority": "lowest",
"severity": "low",
"detectOnly": true,
"eventLoggingDisabled": true,
"generateEventOnPacketDrop": true,
"alwaysIncludePacketData": true,
"debugModeEnabled": true,
"type": "custom",
"originalIssue": 0,
"lastUpdated": 0,
"identifier": "string",
"template": "signature",
"signature": "string",
"start": "string",
"patterns": ["string"
],
"end": "string",
"caseSensitive": true,
"condition": "all",
"action": "drop",
"customXML": "string",
"alertEnabled": true,
"scheduleID": 0,
"contextID": 0,
"recommendationsMode": "enabled",
"canBeAssignedAlone": true,
"dependsOnRuleIDs": [0
],
"ID": 0,
"CVSSScore": "string",
"CVE": ["string"
]
}

Delete an Intrusion Prevention Rule

delete/intrusionpreventionrules/{intrusionPreventionRuleID}

Delete an intrusion prevention rule by ID.

Related SDK Methods:

Java

IntrusionPreventionRulesApi.deleteIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.delete_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.deleteIntrusionPreventionRule([param1, param2, ...])

Request

Security:

DefaultAuthentication

path Parameters

intrusionPreventionRuleID

required

integer <int32> \d+

The ID number of the intrusion prevention rule to delete.

Example: 1

header Parameters

api-version

required

string

The version of the api being called.

Example: YOUR VERSION

Responses

200

Request is successful.

403

Not authorized to delete intrusion prevention rules.

Request samples

Java
Python
JavaScript

import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;


public class DeleteIntrusionPreventionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		Integer intrusionPreventionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			instance.deleteIntrusionPreventionRule(intrusionPreventionRuleID, apiVersion);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.deleteIntrusionPreventionRule");
			e.printStackTrace();
		}
	}
}

➔ Next to Contexts