Introduction:
CyberSecure is a service that is available on several Ubiquiti Unifi appliances including the Cloud Gateway devices which are popular within SOHO environments. CyberSecure consists of multiple detection methods which are powered by Cloudflare, Proofpoint, and the Unifi Appliance.
Detection Services:
Cloudflare
- Content Filtering of Malicious/Adult Content Domains
- AdBlocking
Unifi
- Region Blocking
- Encrypted DNS
- Honeypot
Proofpoint / Emerging Threats
- Intrusion Prevention
- ET/ETPRO Rulesets
This is what the CyberSecure Configuration settings look like on the Cloud Gateway Control Pane.
Which Rules Are Enabled?
Unless you subscribe to “CyberSecure Enhanced” (which includes ETPRO rules) your appliance will download the standard “ET OPEN” ruleset which is free and available for download here. The ruleset is grouped into categories for fine-tuned control. Once Intrusion Prevention is enabled, administrators can select the categories relevant to their environment. Unifi summarizes Emerging Threats rulesets into similar groups so it isn’t immediately clear from the web interface which categories are applied but the console logs will reveal which rules are enabled.
The subsets for each category can be downloaded here.
Console Output (Cleaned Up For Readability)
"ACTIVEX" then signature<FILTERED> = "emerging-activex"
"ADWARE_PUP" then signature<FILTERED> = ""
"ATTACK_RESPONSE" then signature<FILTERED> = "emerging-attackresponse"
"BOTCC" then signature<FILTERED> = "botcc"
"BOTCC.PORTGROUPED" then signature<FILTERED> = "botcc-portgrouped"
"CHAT" then signature<FILTERED> = "emerging-chat"
"CIARMY" then signature<FILTERED> = "ciarmy"
"COINMINER" then signature<FILTERED> = ""
"COMPROMISED" then signature<FILTERED> = "compromised"
"CURRENT_EVENTS" then signature<FILTERED> = ""
"DELETED" then signature<FILTERED> = ""
"DNS" then signature<FILTERED> = "emerging-dns"
"DOS" then signature<FILTERED> = "emerging-dos"
"DROP" then signature<FILTERED> = ""
"DSHIELD" then signature<FILTERED> = "dshield"
"EXPLOIT" then signature<FILTERED> = "emerging-exploit"
"EXPLOIT_KIT" then signature<FILTERED> = ""
"FTP" then signature<FILTERED> = "emerging-ftp"
"GAMES" then signature<FILTERED> = "emerging-games"
"HUNTING" then signature<FILTERED> = ""
"ICMP" then signature<FILTERED> = "emerging-icmp"
"ICMP_INFO" then signature<FILTERED> = "emerging-icmpinfo"
"IMAP" then signature<FILTERED> = "emerging-imap"
"INAPPROPRIATE" then signature<FILTERED> = "emerging-inappropriate"
"INFO" then signature<FILTERED> = "emerging-info"
"JA3" then signature<FILTERED> = ""
"MALWARE" then signature<FILTERED> = "emerging-malware"
"MISC" then signature<FILTERED> = "emerging-misc"
"MOBILE_MALWARE" then signature<FILTERED> = "emerging-mobile"
"NETBIOS" then signature<FILTERED> = "emerging-netbios"
"P2P" then signature<FILTERED> = "emerging-p2p"
"PHISHING" then signature<FILTERED> = ""
"POLICY" then signature<FILTERED> = "emerging-policy"
"POP3" then signature<FILTERED> = "emerging-pop3"
"RPC" then signature<FILTERED> = "emerging-rpc"
"SCADA" then signature<FILTERED> = "emerging-scada"
"SCADA_SPECIAL" then signature<FILTERED> = ""
"SCAN" then signature<FILTERED> = "emerging-scan"
"SHELLCODE" then signature<FILTERED> = "emerging-shellcode"
"SMTP" then signature<FILTERED> = "emerging-smtp"
"SNMP" then signature<FILTERED> = "emerging-snmp"
"SQL" then signature<FILTERED> = "emerging-sql"
"TELNET" then signature<FILTERED> = "emerging-telnet"
"TFTP" then signature<FILTERED> = "emerging-tftp"
"THREATVIEW_CS_C2" then signature<FILTERED> = ""
"TOR" then signature<FILTERED> = "tor"
"user<FILTERED>" then signature<FILTERED> = "emerging-user<FILTERED>"
"VOIP" then signature<FILTERED> = "emerging-voip"
"WEB_CLIENT" then signature<FILTERED> = "emerging-webclient"
"WEB_SERVER" then signature<FILTERED> = "emerging-webserver"
"WEB_SPECIFIC_APPS" then signature<FILTERED> = "emerging-webapps"
"WORM" then signature<FILTERED> = "emerging-worm"
"TROJAN" then signature<FILTERED> = "emerging-trojan"
"UBIQUITI_CUSTOM" then signature<FILTERED> = "ubiquiti-custom"
"UBIQUITI_RULES" then signature<FILTERED> = "ubiquiti-rules"
Troubleshooting Detection and Network Interruption
Often times, if there is a service interruption it can be difficult to track down where the problem originates. If detection from Cloudflare and Proofpoint is enabled, who should you contact if you are experiencing a False Positive?
To start your investigation head to the insights tab in the Unifi Webui.
There you will see a dropdown for Blocked or Threats. All policy hits that are blocked will show up in the Blocked page. This is where you will want to focus if you believe CyberSecure is causing a network issue. If you see a dst IP or domain related to your problem, this will identify which Policy Type is taking action.
Investigating a Proofpoint / Emerging Threats Detection
To view IPS alerts navigate to Insights -> Threats. This displays events triggered by Intrusion Prevention which shows the rule subset responsible for the alert. For example the Protocol Vulnerabilities Policy is causing a significant amount of alerts, you could consider disabling that category from the control pane.
If you want to dig deeper into what the rule is detecting, click on the alert for additional details. From here the Signature ID is displayed which can be used to retrieve the full signature text and description from the ruleset.
Signature Issues? Questions? Let Us Know!
If a signature appears to be generating false positives or causing other issues, reach out to us here or on Twitter! If a signature is causing disruption in your network there is a chance other people are experiencing the same problem.
While we perform quality assurance on every signature we release it’s impossible to anticipate what every network environment looks like. We welcome any and all feedback which helps us provide high quality signatures for the community! Likewise, if you have any questions we are happy to discuss our detection logic.