Configuring the Covert Channel Analysis Module
Example
If you wanted the virtual sensor to ignore the TEL:NT-GUEST and XOPEN:FAIL signatures from
the FAILURES group, you would add them to the Ignored Signatures list in the Signatures Editor
window, as shown in the figure below.
Configuring the Covert Channel Analysis Module
Many hackers use ICMP echo request and echo reply packets to communicate covertly.
Specialized ICMP client and servers such as Back Orifice 2000 and LOKI are good examples. This
module provides parameters to configure three types of ICMP traffic analysis.
Backdoor Settings
The backdoor parameters in this module enable discovery of streams of unsolicited ICMP replies
or ICMP streams with static sequence numbers. You configure the total number of ICMP type 0
(ping reply) and type 8 (ping request) packets to collect, and the threshold, n, for generating an
alert. If n more ping replies than ping requests have been collected, or if n ICMP replies with the
same ICMP sequence number have been collected in a row, an alert is generated.
2-20 Creating Network Sensor Policies