Allied Telesis AR Series Technical Manual page 11

Feature Overview
Once threats or attacks are detected, the IPS engine can take the following actions:

Alert: generate a log message (default action)

Deny: drop matching packets
The firewall is used in conjunction with the IPS engine. The IPS engine is the first line of defense and
it captures the traffic before it reaches the firewall. The firewall primarily filters predetermined
packets and tracks connection to ensure sessions initiated from the private network are allowed.
AlliedWare Plus IPS supports a set of built-in categories. The categories are listed below:

checksum: Invalid checksums, e.g. IPv4, TCPv4, UDPv4, ICMPv4,TCPv6, UDPv6, ICMPv6.

ftp-bounce: GPL FTP PORT bounce attempt.

gre-decoder events: GRE anomalies, e.g. GRE packet too small, GRE wrong version, GRE v0
recursion control, GRE v0 flags, GRE v0 header too big, GRE v1 checksum present, GRE v1
routing present, GRE v1 strict source route, GRE v1 recursion control.

http-events: HTTP anomalies, e.g. HTTP unknown error, HTTP gzip decompression failed, HTTP
request field missing colon, HTTP response field missing colon, HTTP invalid request chunk len,
HTTP invalid response chunk len, HTTP status 100-Continue already seen, HTTP unable to match
response to request, HTTP invalid server port in request.

icmp-decoder-events: ICMP anomalies, e.g. IPv6 with ICMPv4 header, ICMPv4 packet too small,
ICMPv4 unknown type, ICMPv6 truncated packet, ICMPv6 unknown version.

ip-decoder-events: IPv4 & IPv6 anomalies, e.g. IPv4 packet too small, IPv4 header size too small,
IPv4 wrong IP version, IPv6 packet too small, IPv6 duplicated Routing extension header, IPv6
duplicated Hop-By-Hop Options extension header, IPv6 DSTOPTS only padding, SLL packet too
small, Ethernet packet too small, VLAN header too small, FRAG IPv4 Fragmentation overlap,
FRAG IPv6 Packet size too large, IPv4-in-IPv6 invalid protocol, IPv6-in-IPv6 packet too short.

ppp-decoder-events: PPP anomalies, e.g. PPP packet too small, PPP IPv6 too small, PPP wrong
type, PPPoE wrong code, PPPoE malformed tags.

smtp-events: SMTP anomalies, e.g. SMTP invalid reply, SMTP max reply line len exceeded,
SMTP tls rejected, SMTP data command rejected.

stream-events: TCP anomalies, e.g. 3way handshake with ack in wrong dir, 3way handshake
async wrong sequence, 3way handshake right seq wrong ack evasion, 4way handshake
SYNACK with wrong ACK, STREAM CLOSEWAIT FIN out of window, STREAM ESTABLISHED
SYNACK resend, STREAM FIN invalid ack, STREAM FIN1 ack with wrong seq, STREAM
TIMEWAIT ACK with wrong seq, stream-events TCP packet too small, stream-events TCP
duplicated option).

udp-decoder-events: UDP anomalies, e.g. UDP packet too small, UDP header length too small,
UDP invalid header length.
C613-22104-00 REV B
Advanced Network Protection
Intrusion Prevention System (IPS)
|
Page 11