GajIPS — Intrusion Prevention System
Stop Threats Before They Enter Your Network
GajIPS is an inline network intrusion prevention engine built into GajShield's Data Security Firewall. It inspects every IPv4 and IPv6 connection, reassembles TCP sessions, decodes 17 application protocols, and drops malicious traffic in real time.
17+
Protocol parsers
IPv4+6
Dual-stack inspection
3
Alert output formats
JA3+JA4
TLS fingerprinting
▣
Inline drop + TCP RST on both IPv4 and IPv6
Matching rules block traffic immediately within the GajShield security stack and terminate the connection on both sides.
Trusted across India
✓ Central Government ✓ BFSI Sector ✓ Healthcare Networks ✓ Manufacturing Enterprises ✓ Education Institutions
How It Works
From Packet to Verdict
GajIPS operates as an integrated component of the GajShield security stack. Every connection passing through the firewall is inspected in real time before being allowed to proceed.
1
Packet Held Inline
All traffic entering or leaving the network passes through GajIPS as part of the GajShield firewall security stack. Nothing is forwarded until the engine has returned a decision.
2
Session Reassembled
TCP streams are tracked per flow, segments reassembled in order, and the application protocol identified. The appropriate parser decodes the session into named fields.
3
Rules Applied
Detection rules are tested against the decoded session — matching on protocol fields, content patterns, binary values, session state, or IP reputation lists.
4
Action and Alert
A matching rule triggers its configured action — alert, block, or both. Alerts are written to all configured output channels simultaneously. The triggering traffic is captured for forensic review.
Core Capabilities
What GajIPS Actually Does
Every capability listed corresponds directly to implemented code in the engine. No aspirational features, no roadmap items.
IP
IPv4 and IPv6 — Full Dual Stack
GajIPS handles IPv4 and IPv6 traffic identically — session tracking, protocol parsing, rule matching, alert output, TCP RST injection, and PCAP capture all work on both versions. A single rule set covers both without separate configuration.
◉
Full TCP Session Reassembly
Every TCP flow is tracked from the initial handshake. Out-of-order segments are reassembled before rule matching, so attacks split across multiple packets are detected as reliably as single-packet attacks. Both directions are independently inspected.
▶
Inline Drop and Bidirectional TCP RST
When a rule matches, GajIPS immediately blocks the traffic within the GajShield firewall stack. The engine simultaneously terminates the connection on both sides for both IPv4 and IPv6, ensuring the threat cannot proceed.
TLS
TLS Fingerprinting — JA3 and JA4
For every TLS connection, GajIPS computes JA3, JA3S, JA4, JA4S, and JA4_r fingerprints. Rules match on any fingerprint to identify malware families by their TLS signature regardless of server or payload.
H2
HTTP/2 Full Frame Inspection
GajIPS fully decodes HTTP/2 traffic including compressed headers and request and response data frames. Rules match on the request path, method, authority, status code, all headers, and body content — the same depth of inspection available for HTTP/1 traffic.
OT
Industrial Protocol Support
Dedicated parsers for Modbus/TCP and DNP3. Rules target exact Modbus function codes and unit IDs, or DNP3 application function codes and individual IIN indication bits.
WS
Web Shell Detection
HTTP response bodies are scored for PHP, ASP, JSP, and CGI shell patterns; dangerous function calls; base64-encoded command sequences; and string concatenation obfuscation.
JS
JavaScript and Office Macro Inspection
JavaScript is extracted and normalised from HTTP responses. VBA macro content is extracted from Office documents served over HTTP. Both are exposed as dedicated rule match buffers.
↺
Live Rule Updates
GajIPS supports live rule updates — new detection rules take effect immediately without restarting the engine or interrupting any active connections. The updated rule set is activated instantly and all sessions are immediately evaluated against the new rules.
Protocol Coverage
17 Protocols with Dedicated Parsers
Each entry has a purpose-built parser that decodes the protocol's structure. Rules match on the specific fields listed — not just raw bytes.
HTTP / HTTPS
URI, method, req+res headers, req+res body, cookie, content-type, filename, status code, referer, user-agent, JS data, VBA macro data
HTTP/2
:path, :method, :authority, :status, request headers, response headers, request body, response body (header-decoded)
QUIC / HTTP3
SNI from Initial CRYPTO TLS 1.3 ClientHello, QUIC version, destination connection ID, raw payload
TLS / SSL
SNI, JA3, JA3S, JA4, JA4S, JA4_r, ALPN, negotiated version (SSL2–TLS1.3), handshake state, raw record
DNS
Decoded question name, query type and class, response flag, raw DNS payload
SMTP / POP3 / IMAP
Protocol command, DATA body, MAIL FROM address, RCPT TO address, HELO domain
FTP
Command verb, command argument, server response line; FTP bounce attack detection
Telnet
IAC-stripped data payload
SMB v1 / v2 / v3
Dialect, command code, NT status, tree connect path, create/open filename, raw payload
DCE / RPC
Packet type, operation number, 16-byte interface UUID, stub/request data
NFS / ONC-RPC
RPC program + version, NFS procedure number, file path from LOOKUP/OPEN, opaque file handle
RDP
Negotiation protocol flags, routing token / cookie, security header flags, raw payload
SIP
Request method (INVITE, REGISTER, BYE…), response status code, full header block, body (SDP)
GTP-U
Inner IP payload extracted from GTP-U tunnel (UDP port 2152); GTP version and message type
Modbus / TCP
Function code, unit ID, PDU data bytes
DNP3
Application function code, IIN indication bits (16-bit), direction, data bytes
GRE
GRE-encapsulated traffic inspected; content matched against the inner packet payload
Detection Engine
Rule Engine Capabilities
The matching engine supports a rich set of operations beyond simple string search — enabling precise, low-false-positive rules for complex attack patterns.
01
Custom detection rules in plain text
Your security team writes detection rules targeting your specific applications, internal services, or threat patterns unique to your environment. Multiple rule sets are loaded simultaneously — up to 25,000 rules in a single deployment.
02
Multi-content matching with positional modifiers
Each rule supports up to 16 content patterns with precise positional constraints — ensuring each pattern is found at the correct location within the session, preventing false positives from partial matches.
03
PCRE regular expressions
Rules support full regular expression matching alongside literal content patterns in the same rule — enabling detection of variable or obfuscated attack strings that exact matching cannot catch.
04
Flowbits — state across multiple packets
Rules track named state flags across the lifetime of a connection — enabling detection logic that spans multiple packets or requests, such as confirming an attacker has authenticated before alerting on subsequent activity.
05
IP reputation — CIDR blocklist matching
GajIPS checks every connection source and destination against IP reputation lists containing up to 128,000 known-malicious address ranges, organised into named threat categories. Connections matching listed addresses are blocked before any content inspection.
06
Port scan detection
GajIPS detects early-stage reconnaissance — scanning, probing, and service fingerprinting — before it can inform a targeted attack. Alert thresholds are configurable to match your network's normal traffic profile.
07
Threshold, detection_filter, and suppress
Detection rules include built-in controls to require a minimum number of events before alerting, set per-source rate thresholds, and suppress known-safe addresses — giving precise control over alert volume without disabling rules entirely.
08
Binary protocol matching — byte operations
GajIPS reads and compares numeric field values at specific positions within binary protocol messages, advances match positions based on values read from the traffic, and carries extracted values forward for use in subsequent match conditions — essential for precise detection in non-HTTP binary protocols.
09
Encoding-aware content matching
Detection patterns are applied after automatically decoding obfuscated content — including base64, URL encoding, hex encoding, and XOR obfuscation. When the obfuscation key is unknown, GajIPS tests all possible single-byte keys automatically.
10
Hyperscan prefilter for high-throughput matching
GajIPS uses a high-performance multi-pattern matching engine that screens all traffic against all active rules simultaneously. Rules that cannot match the current packet are skipped immediately, maintaining throughput at high traffic volumes without compromising detection coverage.
11
Deep integration with GajShield security stack
GajIPS integrates with other components of the GajShield security stack through a structured verdict interface, enabling coordinated enforcement across the full firewall and security platform.
12
Live rule updates — no service interruption
New detection rules are applied to live traffic instantly via a live update signal. All sessions are immediately evaluated against the updated rule set. No traffic is interrupted and no connections are dropped during the update.
Alert Output
Three Alert Formats, All Simultaneously
Every detection event is simultaneously recorded across all three output channels — no alert is ever written to only one destination.
LOG
Centralised alert log
Every alert is written in real time to the GajShield centralised log stream. Each record includes the rule that fired, the threat classification, traffic priority, protocol, source and destination addresses and ports, the direction of the attack, and the identified attacker address — ready for immediate action or forwarding to a SIEM.
JSON
Structured JSON alerts — SIEM ready
Structured JSON alert records are written for every detection event, including timestamp, source and destination addresses, detected application protocol, full alert detail, connection statistics, and TLS fingerprint data where applicable. Directly ingestible by Elasticsearch, Splunk, Graylog, and any JSON-capable SIEM platform without additional configuration.
BIN
Binary alert records
Binary alert records are written in a standard format compatible with leading security analytics platforms. Each record includes complete alert metadata for both IPv4 and IPv6 events along with the raw captured packets. Output can be disabled if not required.
Packet capture per alert — every alert automatically captures the triggering network traffic for forensic review. Captures are stored in standard packet capture format and are immediately openable in any network analysis tool. Capture can be disabled if not required.
Make in India
Built in India. Securing India.
GajIPS is designed, developed, and maintained entirely in India by GajShield's engineering team in Mumbai. The engine requires no cloud connectivity — every packet, verdict, and log record stays on your own hardware.
⌂
All processing is on-appliance
No packet data, alert metadata, flow state, or rule content leaves your appliance. All three alert output formats remain within your network perimeter.
✎
Always up to date with GajShield threat intelligence
GajIPS signatures are continuously updated through GajShield's threat intelligence feed — ensuring your network is protected against the latest threats without any manual intervention from your team.
✆
Local support. Indian time zones.
Our support team is based in India, in your language, in your time zone, with direct access to the development team who built the engine.
2002
Founded in India
24+
Years securing Indian networks
17
Protocol parsers built in-house
3
Simultaneous alert output formats
Get Protected Today
Ready to Secure Your Network with India's Own IPS?
Talk to a GajShield security expert. We will walk through GajIPS's capabilities in detail, discuss your network environment, and demonstrate the engine on real traffic.