Network Instruments GigaStor User Manual page 49

Field
ARP Inspection
Telnet Normalization
Variable Name
Description
is encountered during preprocessing. Because Apache uses this standard, enable
this option when monitoring Apache servers. Although you might be interested
in logging UTF-8 encoded URIs, doing so can result in a lot of noise because this
type of encoding is common.
Lookup Unicode in code page—Enables Unicode codepoint mapping during pre-
processing to handle non-ASCII codepoints that the IIS server accepts.
Normalize double encodings— This option mimics IIS behavior that intruders can
use to launch insertion attacks. Normalize bare binary non ASCII encodings—This
an IIS feature that uses non-ASCII characters as valid values when decoding UTF-8
values. As this is non-standard, logging this type of encoding is recommended.
Normalize directory traversal—Directory traversal attacks attempt to access
unauthorized directories and commands on a web server or application by using
the /./ and /../ syntax. This preprocessor removes directory traversals and self-
referential directories. You may want to disable logging for occurrences of this, as
many web pages and applications use directory traversals to reference content.
Normalize multiple slashes to one—Another directory traversal strategy is to
attempt to confuse the web server with excessive multiple slashes.
Normalize Backslash—This option emulates IIS treatment of backslashes (i.e.,
converts them to forward slashes).
Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a
particular machine (MAC) addresses. Rather than continuously broadcasting the
map to all devices on the segment, each device maintains its own copy, called
the ARP cache, which is updated whenever the device receives an ARP Reply.
Hackers use cache poisoning to launch man-in-the-middle and denial of service
(DoS) attacks. The ARP inspection preprocessor examines ARP traffic for malicious
forgeries (ARP spoofing) and the traffic resulting from these types of attacks.
Log preprocessor events—Checking this box causes forensic analysis to save
any alerts generated by the ARP Inspection preprocessor to the log, but not the
Forensic Summary Window.
Report non-broadcast requests—Non-broadcast ARP traffic can be evidence of
malicious intent. Once scenario is the hacker attempting to convince a target
computer that the hacker's computer is a router, thus allowing the hacker to
monitor all traffic from the target. However, some devices (such as printers)
use non-broadcast ARP requests as part of normal operation. Start by checking
the box to detect such traffic; disable the option only if analysis detects false
positives.
Hackers may attempt to evade detection by inserting control characters into
Telnet and FTP commands aimed at a target. This pre-processor strips these
codes, thus normalizing all such traffic before subsequent forensic rules are
applied.
Log preprocessor events—Checking this box causes forensic analysis to save any
alerts generated by the Telnet Normalization preprocessor to the log, but not the
Forensic Summary Window.
Port List—Lets you specify a list of ports to include or exclude from Telnet pre-
processing. The default settings are appropriate for most networks.
A scrollable window located below the preprocessor settings lists the variables
that were imported along with the Snort rules. Variables are referenced by
the rules to specify local and remote network ranges, and common server IP
Creating a Forensic Settings profile | 49