Idp Pattern Matching; Idp Signature Groups - D-Link NetDefend DFL-210 User Manual

6.5.5. IDP Pattern Matching

• Increasing throughput - Where the highest throughout possible is desirable, then turning the
option off, can provide a slight increase in processing speed.
• Excessive False Positives - If there is evidence of an unusually high level of Insertion/Evasion
false positives then disabling the option may be prudent while the false positive causes are
investigated.
6.5.5. IDP Pattern Matching
Signatures
In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern, associated
with different types of attack. These pre-defined patterns, also known as signatures, are stored in a
local NetDefendOS database and are used by the IDP module to analyze traffic for attack patterns.
Each IDP signature is designated by a unique number.
Consider the following simple attack example involving an exchange with an FTP server. A rogue
user might try to retrieve the password file "passwd" from an FTP server using the FTP command
RETR passwd. A signature looking for the ASCII text strings RETR and passwd would find a
match in this case, indicating a possible attack. In this example, the pattern is found in plaintext but
pattern matching is done in the same way on pure binary data.
Recognising Unknown Threats
Attackers who build new intrusions often re-use older code. This means their new attacks can appear
"in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for
these reusable components, with pattern matching looking for building blocks rather than the entire
complete code patterns. This means that "known" threats as well as new, recently released,
"unkown" threats, built with re-used software components, can be protected against.
Signature Advisories
An advisory is a explanatory textual description of a signature. Reading a signature's advisory will
explain to the administrator what the signature will search for. Due to the changing nature of the
signature database, advisories are not included in D-Link documentation but instead, are available
on the D-Link website at:
http://security.dlink.com.tw
Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu.
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
• Intrusion Protection Signatures (IPS) - are highly accurate and a match is almost certainly an
indicator of a threat. Using the Protect action is recommended. These signatures can detect
administrative actions and security scanners.
• Intrusion Detection Signatures (IDS) - can detect events that may be intrusions- They have
lower accuracy than IPS and may give some false positives so that's recommended that the
Audit action is initially used before deciding to use Protect.
• Policy Signatures - detect different types of application traffic. They can be used to block
certain applications such as filesharing applications and instant messaging.

6.5.6. IDP Signature Groups

192
Chapter 6. Security Mechanisms