D-Link DFL-1600 User Manual page 210

190
IDS/IDP IDS Rules
Name: IDSMailSrvRule
Service: smtp
Also inspect dropped packets: In case all traffic matching this rule
should be scanned (this also means traffic that the main rule-set would
drop), the "Also inspect dropped packets" checkbox should be checked,
which is the case in this example.
Source Interface: WAN
Source Network: wan-net
Destination Interface: DMZ
Destination Network: ip mailserver
Then click OK
If logging of intrusion attempts is desired, this can be configured in
the Logging tab, where log receivers can be chosen.
3. Create IDS Action
When this IDS Rule has been created, an action must also be created,
specifying what signatures the IDS should use when scanning data matching
the IDS Rule, and what the firewall should do in case an intrusion is
discovered. Intrusion attempts should cause the connection to be dropped,
so "Action" is set to Protect. Severity is set to All, in order to match all
possible signatures. "Signatures" is set to FROM EXT MAIL SMTP, in
order to use signatures that describe attacks from the external network,
dealing with the SMTP protocol.
IDS/IDP
IDS Rule Action:
Action: Protect
Severity: All
Signatures: FROM EXT MAIL SMTP
Then click OK
To summarize, the following will occur: If traffic from the external network,
to the mail server is discovered, the IDS will be activated. In case the traffic
matches any of the signatures in the FROM EXT MAIL SMTP signature
group, the connection will be dropped, thus protecting the mail server. If a
log receiver has been configured, the intrusion attempt will also be logged.
Chapter 19. Intrusion Detection System (IDS)
Add
IDS Rules
D-Link Firewalls User's Guide
IDS/IDP Rule:
IDSMailSrvRule Add