D
DioIPS

Rule Engine

IPS

Flexible IPS rule engine with wildcard pattern matching. Define rules to detect and respond to suspicious activity in real-time.

Overview

Rules are evaluated against incoming events from the kernel driver. When an event matches a rule, the configured action is taken. Rules are synced to the kernel driver for high-performance matching.

Rule Components

Match Criteria

  • • Process name
  • • File path
  • • IP address
  • • Port number
  • • DNS domain
  • • Protocol
  • • Registry key

Actions

  • Log — Record the event
  • Alert — Show notification
  • Block — Prevent the action
  • Kill — Terminate the process

Example Rules

Block PowerShell from Temp

Process: powershell.exe | Path: *\Temp\* | Action: Block

Alert on Suspicious DNS

DNS: *.ru | Action: Alert

Log Registry Autorun

Registry: *\Run\* | Action: Log

Rule Order

Rules are evaluated in order. The first matching rule's action is taken. Place more specific rules before general ones.

Features

Creating Rules
How to create and manage IPS rules in the UI
Wildcard Patterns
Pattern matching syntax with * and ? wildcards
Actions
Log, Alert, Block, and Kill actions

Default Rules

DioIPS includes default rules for common autorun protection:

  • • Registry Run/RunOnce key modifications
  • • Startup folder file creation
  • • Scheduled task creation
  • • Service installation