Intrusion Detection Rules; Pattern Matching; Action - D-Link DFL-1600 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1600:
- Quick manual (22 pages) ,
- User manual (552 pages) ,
- Log reference manual (476 pages)
Table of Contents
Advertisement
182
D-Link IDS uses a combination of
, and
above.
19.1.1
Intrusion Detection Rules
An Intrusion Detection Rule defines the kind of traffic – service – that
should be analyzed. Filtering fields regarding source and destination
interfaces, networks, ports, and protocols are also defined here. Only traffic
matching this rule is passed on to the next processing level of IDS, where
actual analysis takes place.
19.1.2
Pattern Matching
In order for the IDS to correctly identify an attack, it has to know what an
attack is. To achieve this, pre-defined patterns, called "signatures", are
created that describe certain attacks. The network traffic is then analyzed
by the IDS, searching for these patterns. This is also known as "misuse
detection" or "signature detection".
Consider the following example. A user tries to retrieve the password file
"passwd" from a system, using FTP:
RETR passwd
A signature looking for the ASCII text strings "RETR" and "passwd"
would cause a match in this case, signalling that an attack has been found.
In order to make this example easy to follow, patterns containing ASCII
text strings was used. This is not necessary; patterns can just as well
contain binary data.
If an attack is found, the next processing level of the IDS is carried out –
cause of action.
19.1.3
Action
After an intrusion has been detected, an action, or response, must be taken.
Depending on the severity of the attack, traffic can either be dropped,
logged, both, or simply ignored.
Chapter 19. Intrusion Detection System (IDS)
, in order to answer the three questions mentioned
D-Link Firewalls User's Guide
,
Advertisement
Table of Contents
