Idp Pattern Matching - D-Link NetDefendOS User Manual

• An Unable to Detect log message when NetDefendOS has been unable to identify potential
attacks when reassembling a TCP/IP stream although such an attack may have been present.
This condition is caused by infrequent and unusually complex patterns of data in the stream.
Recommended Configuration
By default, insertion/evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:
• Increasing throughput - Where the highest throughout possible is desirable, then turning
the option off, can provide a slight increase in processing speed.
• Excessive False Positives - If there is evidence of an unusually high level of insertion/evasion
false positives then disabling the option may be prudent while the false positive causes are
investigated.

6.6.5. IDP Pattern Matching

Signatures
In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern, associated
with different types of attack. These predefined patterns, also known as signatures, are stored in a
local NetDefendOS database and are used by the IDP subsystem to analyze traffic for attack
patterns. Each IDP signature is designated by a unique number.
Consider the following simple attack example involving an exchange with an FTP server. A rogue
user might try to retrieve the password file "passwd" from an FTP server using the FTP command
RETR passwd. A signature looking for the ASCII text strings RETR and passwd would find a match
in this case, indicating a possible attack. In this example, the pattern is found in plaintext but
pattern matching is done in the same way on pure binary data.
Recognizing Unknown Threats
Attackers who build new intrusions often reuse older code. This means their new attacks can
appear in circulation quickly. To counter this, D-Link IDP uses an approach where NetDefendOS
scans for these reusable components, with pattern matching looking for building blocks rather
than a completed program. This means that known threats as well as new, previously unknown
threats, built with the same reusable components, can be protected against.
Signature Advisories
An advisory is an explanatory textual description of a signature. Reading a signature's advisory
will explain to the administrator what the signature will search for. Due to the changing nature of
the signature database, advisories are not included in D-Link documentation but instead, are
available on the D-Link website at:
http://security.dlink.com.tw
Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu.
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
557
Chapter 6: Security Mechanisms