Idp Pattern Matching - D-Link NetDefend DFL-210 User Manual

6.3.5. IDP Pattern Matching

believes it has the full data stream. The attacker now sends two futher packets, p2 and p3, which
will be accepted by the application which can now complete reassembly but resulting in a different
data stream to that seen by the IDP subsystem.
Evasion Attacks
An evasion attack has a similar end-result to the Insertion Attack in that it also generates two differ-
ent data streams, one that the IDP subsystem sees and one that the target application sees, but it is
achieved in the reverse way. It consists of sending data packets that are rejected by the IDP subsys-
tem but are acceptable to the target application.
Detection Action
If an Insertion/Evasion Attack is detected with the Insertion/Evasion Protect option enabled, NetDe-
fendOS automatically corrects the data stream by removing the extraneous data associated with the
attack.
Insertion/Evasion Log Events
The Insertion/Evasion Attack subsystem in NetDefendOS can generate two types of log message:
• An Attack Detected log message, indicating an attack has been indentified and prevented.
• An Unable to Detect log message when NetDefendOS has been unable to identify potential at-
tacks when reassembling a TCP/IP stream although such an attack may have been present. This
condition is caused by infrequent and unusually complex patterns of data in the stream.
Recommended Configuration
By default, Insertion/Evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:
• Increasing throughput - Where the highest throughout possible is desirable, then turning the
option off, can provide a slight increase in processing speed.
• Excessive False Positives - If there is evidence of an unusually high level of Insertion/Evasion
false positives then disabling the option may be prudent while the false positive causes are in-
vestigated.
6.3.5. IDP Pattern Matching
Signatures
In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern, associated
with different types of attack. These pre-defined patterns, also known as signatures, are stored in a
local NetDefendOS database and are used by the IDP module to analyze traffic for attack patterns.
Each IDP signature is designated by a unique number.
Consider the following simple attack example involving an exchange with an FTP server. A rogue
user might try to retrieve the password file "passwd" from an FTP server using the FTP command
RETR passwd. A signature looking for the ASCII text strings RETR and passwd would find a
match in this case, indicating a possible attack. In this example, the pattern is found in plaintext but
pattern matching is done in the same way on pure binary data.
128
Chapter 6. Security Mechanisms