Basic And Extended Signatures; Configuring Port Macros - Enterasys Intrusion Prevention System Manual

Network sensor policies and signatures guide

Hide thumbs Also See for Intrusion Prevention System:

Reporting manual (122 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

page of 260

/ 260
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Port Macros

WEB-XSS-ATTACK

Signatures for Cross-Site Scripting (XSS) attacks are placed in this category.

Basic and Extended Signatures

The Enterasys IPS signature language was extended with the v7.2 release to include a number of

new features such as full Perl-compatible regular expression support, communication of state

information across signatures, per-signature thresholding, enhanced packet header tests, as well

as additional Network Layer, Transport Layer, and Application Layer properties. A new tab

containing the "Extended" signature properties was added to the Signature Property Settings

window, and a number of extended master signatures have been added to the Master Libraries.

However, the majority of master signatures remain "Basic" signatures.

Enterasys IPS firmware versions previous to v7.2 cannot use extended signatures, but they can use

basic signatures.

Configuring Port Macros

Port macros define complex ranges of ports, providing a simple way to apply a policy module or

signature across several ports or a complex range of ports. Port macros can be configured using

the Default Network Sensor Setting on the Network Policies tab in the Network Policy View. You

can then assign them by name in a Network Sensor module or signature.

Enterasys IPS provides a number of predefined macros, listed in

your own macros or add to or edit the existing macros.

Table 1-1 Pre-defined Macros

1-14 Network Sensor Overview

Note: If you want to change an existing basic signature with a basic pattern to an extended

signature, you must first remove the basic pattern(s), then create the extended pattern(s).

Macro

Description

web; search for traffic on ports 80, and 3128 and 8080 (common proxy ports)

not web; NOOP overflows, ignore port 80

compromise; search for UNIX keywords on ports 22, 53, 143,443, and 2049

compromise; search for NT keywords on ports 23, 53, 80, 135, and 139

X Windows; search for X Windows events on ports 6000 – 6070

high ports; search traffic above port 1023

low ports; search traffic equal to or below 1023

any ports; search traffic above port 0

net manage; search SNMP traffic to 161 and between 32771 – 32800 (RPC/Solaris)

search traffic going to/ from ports in the range 27900 through 27999

rpc; search RPC traffic

ssh abuse; search for SSH servers not on port 22

telconvert; used by TELCONVERT to specify ports to decode telnet options

misuse; search FTP/web/NNTP for unwanted activities

Table

1-1. You can also define

Table of Contents

Basic And Extended Signatures; Configuring Port Macros - Enterasys Intrusion Prevention System Manual

Configuring Port Macros

Basic and Extended Signatures

Related Manuals for Enterasys Intrusion Prevention System

Related Content for Enterasys Intrusion Prevention System

Table of Contents