Trojan Horse Notification; Setting Protection Preferences - Symantec 460R - Gateway Security Administrator's Manual

90 Preventing attacks

Setting protection preferences

Trojan horse notification

Any attempt to connect to a blocked port that is commonly used by Trojan horse programs is logged and
classified as a possible attack. The log message warns the user that an illegal connection attempt was made
and that they should audit their internal systems to verify they are not compromised. Trojan horse
protection is overridden if traffic is explicitly allowed in an inbound rule.
Connections to the ports listed in
rule configured to allow inbound traffic on that port.
Table 8-1
Trojan horse
Back Orifice
Girlfriend
Portal of Doom
SubSeven
Setting protection preferences
For each atomic IDS and IPS signature, you can set the action to take with detection of each individual
signature, as follows:
You can configure the following options for enabling and disabling IDS and IPS signature detection and
logging:
To set protection preferences
See
1
2
3
Teardrop
Winnuke
HTML buffer overflow
TCP/UDP flood protection
Trojan horse ports and protocols
Protocol Ports
TCP 31337
UDP 31337
TCP 21554
TCP 3700, 9872, 9873, 9874, 9875, 10067, 10167
UDP 10067, 10167
TCP 1243, 6711, 6712, 6713, 6766, 27374, 27573
UDP 27573
Block and Warn
Drop and log packets identified as containing the specific signature.
Block/Don't Warn
Drop the packet; but do not log.
Select All to enable or disable detection of ALL signatures.
Enable/disable detection of each signature individually.
"IDS Protection tab field descriptions"
In the SGMI, in the left pane, click IDS/IPS.
In the right pane, on the IDS Protection tab, under IDS Signatures, from the Name drop-down list,
select an IDS signature.
To apply the preferences to all the signatures, click >>Select All<<.
Under Protection settings, next to Action, select an action.
Table 8-1 generate warnings in the log file, unless you specifically have a
on page 154.