Idp Signature Groups - D-Link NetDefend DFL-210 User Manual

6.3.6. IDP Signature Groups

Recognising Unknown Threats
Attackers who build new intrusions often re-use older code. This means their new attacks can appear
"in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for
these reusable components, with pattern matching looking for building blocks rather than the entire
complete code patterns. This means that "known" threats as well as new, recently released, "un-
kown" threats, built with re-used software components, can be protected against.
Signature Advisories
An advisory is a explanatory textual description of a signature. Reading a signature's advisory will
explain to the administrator what the signature will search for. Due to the changing nature of the sig-
nature database, advisories are not included in D-Link documentation but instead, are available on
the D-Link website at:
http://security.dlink.com.tw
Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu.
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
• Intrusion Protection Signatures (IPS) - are highly accurate and a match is almost certainly an
indicator of a threat. Using the Protect action is recommended. These signatures can detect ad-
ministrative actions and security scanners.
• Intrusion Detection Signatures (IDS) - can detect events that may be intrusions- They have
lower accuracy than IPS and may give some false positives so that's recommended that the
Audit action is initially used before deciding to use Protect.
• Policy Signatures - detect different types of application traffic. They can be used to block cer-
tain applications such as filesharing applications and instant messaging.
6.3.6. IDP Signature Groups
Using Groups
Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at
the same time when analyzing network traffic. To do this, signatures related to a particular protocol
are grouped together. For example, all signatures that refer to the FTP protocol form a group. It is
best to specify a group that relates to the traffic being searched than be concerned about individual
signatures. For performance purposes, the aim should be to have NetDefendOS search data using the
least possible number of signatures.
Specifying Signature Groups
IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is
the siganture Type, the second level the Category and the third level the Sub-Category. The signa-
ture group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type, DB is
the Category and MSSQL is the Sub-Category. These 3 signature components are explained below:
1. Signature Group Type
129
Chapter 6. Security Mechanisms