90
Preventing attacks
Setting protection preferences
Trojan horse notification
Any attempt to connect to a blocked port that is commonly used by Trojan horse programs is logged and
classified as a possible attack. The log message warns the user that an illegal connection attempt was made
and that they should audit their internal systems to verify they are not compromised. Trojan horse
protection is overridden if traffic is explicitly allowed in an inbound rule.
Connections to the ports listed in
rule configured to allow inbound traffic on that port.
Table 8-1
Trojan horse
Back Orifice
Girlfriend
Portal of Doom
SubSeven
Setting protection preferences
For each atomic IDS and IPS signature, you can set the action to take with detection of each individual
signature, as follows:
You can configure the following options for enabling and disabling IDS and IPS signature detection and
logging:
To set protection preferences
See
1
2
3
Teardrop
Winnuke
HTML buffer overflow
TCP/UDP flood protection
Trojan horse ports and protocols
Protocol
Ports
TCP
31337
UDP
31337
TCP
21554
TCP
3700, 9872, 9873, 9874, 9875, 10067, 10167
UDP
10067, 10167
TCP
1243, 6711, 6712, 6713, 6766, 27374, 27573
UDP
27573
Block and Warn
Drop and log packets identified as containing the specific signature.
Block/Don't Warn
Drop the packet; but do not log.
Select All to enable or disable detection of ALL signatures.
Enable/disable detection of each signature individually.
"IDS Protection tab field descriptions"
In the SGMI, in the left pane, click IDS/IPS.
In the right pane, on the IDS Protection tab, under IDS Signatures, from the Name drop-down list,
select an IDS signature.
To apply the preferences to all the signatures, click >>Select All<<.
Under Protection settings, next to Action, select an action.
Table 8-1
generate warnings in the log file, unless you specifically have a
on page 154.
Need help?
Do you have a question about the 460R - Gateway Security and is the answer not in the manual?