Page 1 Enterasys ® Intrusion Prevention System Creating Network Sensor Policies and Signatures P/N 9034379-05...
Page 3 Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Page 4 Embedded Software Copyrights Bleeding Snort Copyright (c) 2005, Bleedingsnort.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 5 (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Enterasys’ prior written consent, and in no event shall You operate more than one copy of the Licensed Software.
Page 6 Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys of any unauthorized use thereof.
Page 7 Enterasys in good faith determines that the media and proof of payment of the license fee are returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.
Page 9: Table Of Contents
Related Documents ............................xi Conventions ..............................xii Getting Help ..............................xii Chapter 1: Network Sensor Overview Enterasys IPS Network Sensors ........................1-1 Virtual Network Sensors ........................... 1-2 Network Sensor Policies ..........................1-2 Network Sensor Policy Modules ......................1-4 Network Sensor Signatures ..........................1-9 Signature Libraries and Event Groups ....................
Page 10 Log Option Tab ............................2-39 Log Protocol Tab ............................ 2-41 Log Frag Tab ............................2-42 Log Static Tab ............................2-44 Log Broadcast Tab ..........................2-46 Configuring the Probe Detection Module ...................... 2-47 Procedure ............................... 2-48 Configuring the Protocol Analysis Module ....................2-50 DNS Analysis Configuration ........................
Page 11 Appendix A: Keywords/XML Attributes 6.x to 7.x Mappings ............................A-1 Network Sensor Signature Fields .........................A-60 Host Sensor Mappings ..........................A-61 Agent Mappings ............................A-61 Index...
Page 13: About This Guide
About This Guide The Enterasys Intrusion Prevention System (IPS) is a solution consisting of an Intrusion Detection System (IDS), active response, and intrusion prevention. Enterasys IPS administrators can configure a variety of elements. Administrators are responsible for configuring Network Sensors, Host Sensors, and the management tools of the Enterprise Management Server (EMS).
Page 14: Conventions
Conventions The following conventions are used in this document. Indicates to enter the path were you installed Enterasys IPS. The default directory is <installdir> /usr/dragon. bold type Actual user input values or names of screens and commands. blue type Indicates a hypertext link. When reading this document online, click the text in blue to go to the referenced figure, table, or section.
Page 15: Chapter 1: Network Sensor Overview
1-14 Enterasys IPS Network Sensors The Enterasys IPS Network Sensor is a packet-based Network Intrusion Detection System (NIDS) and response system. It collects network packets and analyzes them for a variety of suspicious activities. Suspicious activity may indicate network abuse, probes, intrusions, or vulnerabilities.
Page 16: Virtual Network Sensors
Enterasys provides you with a set of “master” policy modules which, although they cannot be modified, can be used to create your own custom policies that are associated with a virtual sensor.
Page 17 Network Sensor Policies Figure 1-1 Network Policy View When you create your own custom policies, Enterasys IPS automatically adds four basic master policy modules that must be included in any policy in order to be deployed: • Dynamic Module •...
Page 18: Network Sensor Policy Modules
Network Sensor Policies Figure 1-2 Adding Master Modules to a Custom Policy Once you have added the desired modules to your custom policy, you configure the module parameters for the particular virtual sensor to which that policy will be applied. Procedures for creating and configuring custom policies are provided in Chapter Creating Network Sensor...
Page 19 Network Sensor Policies Application Filter Module This module defines traffic criteria that can be ignored by the sensor. Use this module to refine the data which the sensor analyzes, by telling the sensor what types of traffic and packets to ignore. By reducing the amount of data that the sensor has to look at, and therefore the number of events generated, you can often improve the performance of the sensor as well as the analysis process.
Page 20 SNMP public community for your network management. When you use the Enterasys IPS reporting tools to view Enterasys IPS events being generated on your network, you may notice that there are thousands of SNMP:PUBLIC events being generated from a source IP address that matches the address of your management station.
Page 21 Network Sensor Policies Logging Module The Logging Module is one of the default and required modules that must be included in a Network Sensor policy. This module defines where event logs are stored and how they are displayed. Network Layer Module The Network Layer Module is one of the default and required modules that must be included in a Network Sensor policy.
Page 22 TCP State Module TCP State Module is a connection tracking mechanism that Enterasys IPS uses to flag packets that are not part of an established TCP session. This is particularly effective against certain attacks like “stick” and “snot” that use multiple acknowledgement packets that are not part of a session.
Page 23: Network Sensor Signatures
UDP traffic), and/or instantiate a persistent firewall blocking rule, in addition to generating an event. Enterasys IPS ships with a comprehensive set of vulnerability and exploit-based signatures, and Enterasys continually provides signature updates with the Dragon Live Update feature. (Refer to the discussion of Live Update in the Configuration Guide for more information.)
Page 24: Signature Libraries And Event Groups
TCPDUMP (from the ATTACKS Master Library) is matched, an event named AFS:OVERFLOW- TCPDUMP is generated. In the Enterasys IPS Realtime reporting tools, generated events are organized by Event Groups, which have the same names as the Master Libraries. So for example, an AFS:OVERFLOW- TCPDUMP event will be associated with the ATTACKS Event Group.
Page 25 This category is used mostly for the converted signature set, but also contains any signature that has been tested with Enterasys IPS, but not tested for all environments. Any signature of this type is placed in this classification for a short time for customers to test.
Page 26 Network Sensor Signatures MALWARE This category contains signatures to detect traffic specific to malware, that does not belong in the TROJAN, SUSPICIOUS or VIRUS categories. Examples include 180solutions and HotBar, where user-agents and setting updates are tracked. MISUSE This category contains signatures that detect anything that does not directly compromise the integrity of a host, but is typically forbidden by corporate policy for legal/security reasons.
Page 27 Most of that type of activity is ATTACK, SUSPICIOUS, or COMPROMISE activity. Also, viruses that do not carry a backdoor or send out sensitive information are typically not looked for by Enterasys IPS, as virus scanners are much more adept at finding this behavior.
Page 28: Basic And Extended Signatures
Signatures for Cross-Site Scripting (XSS) attacks are placed in this category. Basic and Extended Signatures The Enterasys IPS signature language was extended with the v7.2 release to include a number of new features such as full Perl-compatible regular expression support, communication of state information across signatures, per-signature thresholding, enhanced packet header tests, as well as additional Network Layer, Transport Layer, and Application Layer properties.
Page 29: Procedure
Configuring Port Macros Table 1-1 Pre-defined Macros (continued) Macro Description H-UDP-FILTER Searches for P2P traffic between hosts infected with the Conficker worm. MSRPC Searches for all traffic related to the Microsoft Remote Procedure Call on Ports 135, 137-139, 445, and 1024-5000. Searches for all Server Message Block traffic on ports 134, 445, and 137-139.
Page 30 Configuring Port Macros The Add Port Information dialog box appears. Field Description What type of port do you want to add? The type of port you want to add to the macro: • Port — to add a single port •...
Page 31: Creating New Policies
A Network Sensor policy is composed of modules, each of which provides the parameters to define a virtual sensor’s behavior relative to a logical grouping of sensor tasks. You create a new policy by adding the desired modules from the list of master modules provided by Enterasys, and then configuring the module parameters.
Page 32: Creating New Policies
Creating New Policies Enter the name of the policy. You can use any alphanumeric characters. Each policy must have a unique name. Click OK. The policy is added to the tree under Custom Policies, and required modules are listed below Right-click the new policy’s name to add other modules.
Page 33: Copying Existing Policies
Copying Existing Policies Copying Existing Policies You can copy any custom or master policy and then paste it as a new custom policy. You cannot paste custom policies into the Master Policies node. To copy a policy: Click the Network Policy View icon, and then the Network Policies tab. Right-click a policy and highlight Copy.
Page 34: General Settings Tab
NFS, Microsoft file sharing, or internal DNS lookups, then ignoring internal traffic will result in a noticeable performance increase. With Linux, the performance increase will result from Enterasys IPS’s quick decision to drop internal packets. Ignoring all entirely external packets to the protected networks allows the Network Sensor to concentrate only on packets that involve the protected network in some way.
Page 35 Configuring the Application Filter Module Click the General Settings tab. Check the desired checkbox(es). The Traffic Direction Chart provides a visual representation of the traffic that will be ignored. • Ignore External Traffic: To ignore traffic entirely external to the protected network (both source and destination addresses outside of protected network) •...
Page 36: Ip Settings Tab
Configuring the Application Filter Module IP Settings Tab Use the settings on the IP Settings tab to configure the sensor to ignore traffic with a set of IP addresses or specific networks as the source address, the destination address, or both source and destination address.
Page 37 Configuring the Application Filter Module To edit an IP address setting, select the IP address in the table and click Edit or Edit All. If you select Edit All, you can edit all the ignored IP addresses at once in the Edit All Ignored IP text editing window.
Page 38: Port Settings Tab
Configuring the Application Filter Module Port Settings Tab Use the settings on the Port Settings tab to tell the sensor to ignore traffic with specific TCP or UDP port numbers or ranges of port numbers as the source port, the destination port, or both source and destination ports.
Page 39 Configuring the Application Filter Module Table 2-1 Common Port Numbers (continued) Protocol Port Number/Type Description snmp 161/udp SNMP snmptrap 162/tcp SNMPTRAP snmptrap 162/udp SNMPTRAP https 443/tcp http protocol over TLS/SSL https 443/udp http protocol over TLS/SSL exec 512/tcp remote process execution login 513/tcp remote login a la telnet...
Page 40 Configuring the Application Filter Module Click the Port Settings tab. To configure an Ignored Port or an Ignored Port Range, click the Add button located below the appropriate table. Or, alternatively, you can click the Edit All button to display the Edit All Ignored Ports text editing window and enter the desired port information as text strings.
Page 41: Protocol Settings Tab
Configuring the Application Filter Module Example To ignore all FTP traffic, both data packets (port 20) and control packets (port 21) whether the port is the source or destination (any), you would add the following settings to the Port Settings tab. Protocol Settings Tab Use the Protocol Settings tab to tell the sensor to ignore traffic related to specific protocols, identified by number.
Page 42 Configuring the Application Filter Module Procedure To configure the sensor to ignore traffic based on specific protocols: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbol, and then select the custom policy name. The modules for that policy are displayed in the tree.
Page 43: Vlan Settings Tab
Configuring the Application Filter Module VLAN Settings Tab The sensor can ignore traffic belonging to a specific VLAN or range of VLAN numbers. Procedure To configure the sensor to ignore specific VLAN traffic: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbol, and then select the custom policy name.
Page 44: Probe Settings Tab
In order to ignore such traffic, you configure an IP address or CIDR block that defines the source of the traffic to ignore and the destination port that should be ignored. Enterasys IPS ignores both the UDP and TCP ports of that number. Return traffic from these sites is also ignored for port scanning purposes.
Page 45 Configuring the Application Filter Module – Port: Enter the destination port number that you want to ignore. Port numbers can range from 1 to 65535. To ignore all destination ports, enter 0. Alternatively, click the Edit All button to display the Edit All Probes text editing window and enter the probe information as text strings.
Page 46: Rule Settings Tab
Configuring the Application Filter Module Editing Existing Probe Settings • To edit a single probe setting, highlight the ignored probe and click Edit. The probe is displayed in the Ignored Probe Settings dialog box. Click OK when done. • To edit multiple probe settings, click Edit All. All probes listed in the table are displayed in the Edit All Probes text editor.
Page 47 Configuring the Application Filter Module If you select ICMP in the Protocol field, enter the appropriate ICMP type in the Source Port field. • Destination IP Address (CIDR): Enter a specific destination IP address or network and mask that you want to ignore using the following format: <IP address>/<mask>...
Page 48: Signature Settings Tab
Configuring the Application Filter Module Alternatively, click Edit All to display the Edit All Ignored Rules text editing window and enter the rule information as text strings. Click OK. The values are displayed in the table. Click Commit to add your changes to the policy being configured. Example To ignore all local SNMP traffic, you would configure two ignore rules, as shown in the figure below.
Page 49 Configuring the Application Filter Module Procedure To configure a sensor to ignore a signature: Click the Network Policy View icon, and then the Network Policies tab. Expand the tree by clicking on the expansion symbol, and then select the custom policy name. The modules for that policy are displayed in the tree.
Page 50: Configuring The Covert Channel Analysis Module
Configuring the Covert Channel Analysis Module Example If you wanted the virtual sensor to ignore the TEL:NT-GUEST and XOPEN:FAIL signatures from the FAILURES group, you would add them to the Ignored Signatures list in the Signatures Editor window, as shown in the figure below. Configuring the Covert Channel Analysis Module Many hackers use ICMP echo request and echo reply packets to communicate covertly.
Page 51: Fast Icmp Settings
Configuring the Covert Channel Analysis Module Backdoor analysis uses two algorithms. The first algorithm collects the specified number of ICMP echo request and echo response packets, then compares the total number of echo requests with the number of echo responses. The numbers should match. If the numbers are off by the specified threshold, the collected traffic is analyzed further to determine which IP address is sending unsolicited echo response packets.
Page 52: Configuring The Dos Check Module
Configuring the DoS Check Module Click the Covert Channel Analysis Module in the tree. If you do not want ICMP packet analysis performed, check the Disable Covert Analysis checkbox. By default, checking ICMP echo request and echo response packets for evidence of Loki traffic is enabled.
Page 53: Procedure
[SYN-BOMB] target=%d.%d.%d.%d,%s,%s,%s A list of Network Sensor internal events is available on the Dragon web site: https://dragon.enterasys.com/downloads/docs/SensorInternalEvents.htm Procedure To configure Denial of Service checking: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the custom policy name.
Page 54: Configuring The Dragon Filter Module
(unless there are hundreds of them). Before writing a Dragon filter, you will use the Enterasys IPS reporting tools to analyze the types of events being generated and to identify the events that should be filtered. For example, if you have an administration computer that uses SSH to login to other computers, you will see a large number of SSH events involving the administration computer being generated.
Page 55: Writing A Filter Rule
RLOGIN:ROOT will also be named RLOGIN:ROOT. The names and descriptions of internal events generated by policy settings are listed in the document Sensor Internal Events at this link: https://dragon.enterasys.com/downloads/docs/SensorInternalEvents.htm Keywords and Operators The keywords used in Dragon filters are listed in...
Page 56: Procedure
Configuring the Dragon Filter Module • Only one filter can be created per event name. • There is no upper limit on the number of filters that can be created. Examples of Dragon Filter Rules To filter SSH Version 1 and 2 events involving the IP address 10.100.100.100 as either the source or destination, two filters are required: To filter FTP:USER-ROOT (FTP login as user = root) events if one of the IP addresses of the event is from the 10.200.200.0/24 CIDR block, but not if the source address is either 10.200.200.1 or...
Page 57 Configuring the Dragon Filter Module Click New. The Dragon Filter Editor window is displayed. Enter the name of the event to be filtered in the Event Name: field (refer to “Event Names” on page 2-25) or click Browse to display the Event Chooser window and select from the displayed events.
Page 58: Configuring The Dynamic Module
Configuring the Dynamic Module Configuring the Dynamic Module Dynamic Logging enables the sensor to record packets from IP addresses that are involved in events. When an event occurs, the Network Sensor makes a best effort to grab subsequent packets from the source and destination IP addresses of the event packet. The number of recorded packets is determined by the specific alarm or signature.
Page 59: Configuring The Header Search Module
20 and an end byte of 30. Note: With the introduction of extended signature language in Enterasys IPS v7.2, the preferred method of matching portions of network layer or transport layer headers is by means of a custom extended signature.
Page 60: Procedure
Configuring the Header Search Module Because these characters are used as wild cards, attempting to search for them in normal traffic requires that the corresponding hex escape code by used. The escape codes are: ? – 0x3f * – 0x2a $ –...
Page 61: Example
Configuring the Logging Module In the Pattern field, specify the pattern, or search string, to be matched. Refer to “Specifying Search Strings” on page 2-29 for information about how to create a search string. 10. Click OK. The values are displayed in the table. 11.
Page 62: Procedure
Leave the Ring Buffer option selected. This option configures the sensor to write to a shared memory ring buffer and is required for Enterasys IPS operation. Selecting the Alarm Log File option configures the sensor to log events to a file in a “syslog”...
Page 63: Configuring The Network Layer Module
Configuring the Network Layer Module For example, if you enabled repeat tracking for source IP with a repeat threshold of 3, and many identical events were generated consecutively from the same source IP, only 3 of the events would be logged. As soon as a different event occurred after the threshold was met, a final event would be logged that reported the number of unlogged events, as shown in the following log example.
Page 64: General Settings Tab
Do not enable this option unless told to do so by Enterasys Technical Support. Selecting Check IP Options for Zero Length or EOL tells the sensor to look for any packets with IP options of zero length or post EOL (End Of Line) IP options.
Page 65 Configuring the Network Layer Module Selecting Log Localhost Traffic tells the sensor to log any packet with a source or destination address to or from 127.0.0.0/8. This address space is reserved. A variety of attacks choose their source addresses from this block. This option is selected by default. Application Note for Ethernet Only: Because these packets are probably spoofed, the hardware address is recorded for these packets for further analysis.
Page 66 Configuring the Network Layer Module 12. Click the Advanced Settings pane. 13. Selecting Log Packets with Reserve Bit Turned On causes the sensor to log any IP packet with the reserved bit turned on. This bit is not used by IP networks, but is still part of the IP header.
Page 67 Configuring the Network Layer Module 16. Specifying a Log <= TTL Value tells the sensor to log any packet with an IP time-to-live value less than or equal to the specified value. The default value is 0. A common value for the TTL value is 5.
Page 68 Configuring the Network Layer Module 21. Specifying a value for Small Fragment Offset tells the Network Sensor to alert on any IP fragment offset that is larger than 0 but smaller than the specified byte length. There are several tools available that will automatically fragment traffic for a hacker. Many of these tools generate fragments with small payloads.
Page 69: Log Option Tab
Configuring the Network Layer Module Log Option Tab A variety of IP options can be recorded based on option type and source IP address. You can specify a list of rules that ignore or log IP packets with options. A Log Option rule has three arguments.
Page 70 Configuring the Network Layer Module Click Add to display the Network Layer Log Options dialog box. Select the desired Action, either log or ignore. Enter the source IP address or CIDR block for the rule using the following format: <IP address>/<mask> Select the appropriate IP version checkbox.
Page 71: Log Protocol Tab
Configuring the Network Layer Module Log Protocol Tab The Network Sensor can be told to log or ignore packets based solely on IP protocol and source address. Events of this type are named [PROTO]. A Log Protocol rule has three arguments. The first tells the Network Sensor to log or ignore the specific protocol.
Page 72: Log Frag Tab
Configuring the Network Layer Module Click OK. The rule is displayed in the table. 10. Click Edit or Delete to change or delete existing rules. 11. Use the Move Up and Move Down buttons to place the rules in the desired order. 12.
Page 73 Configuring the Network Layer Module Click Add to invoke the Network Layer Log Frag dialog box. Select the desired Action, either log or ignore. Enter the source IP address or CIDR block for the rule using the following format: <IP address>/<mask> Select the appropriate IP version checkbox.
Page 74: Log Static Tab
Configuring the Network Layer Module This example shows the rules to ignore fragmented packets from the internal network (10.100.100.0/24) but log all others. This example shows the rules to log all ICMP and UDP fragments. Log Static Tab The Network Sensor can be configured to log all packets from a particular network or IP address. A Log Static rule has two arguments: a unique name to be associated with the rule, and an IP address or CIDR mask.
Page 75 Configuring the Network Layer Module Click Add to invoke the Network Layer Log Static dialog box. In the Event Name field, specify the name of the event that should be generated when this Log Static rule is matched. You can specify any name you want for this event. The name can be any combination of characters, excluding spaces, up to a maximum of 28 characters.
Page 76: Log Broadcast Tab
Configuring the Network Layer Module Log Broadcast Tab The Network Sensor can be configured to watch for packets with strange broadcast destination addresses. These packets are most likely denial of service attacks, network probes, or malfunctioning routers. The Network Sensor ignores internal broadcast traffic and concentrates on traffic from non-protected networks.
Page 77: Configuring The Probe Detection Module
Configuring the Probe Detection Module Enter the destination IP Address and select the appropriate IP version checkbox. No network mask is required. Click OK. The rule is displayed in the table. Click Edit or Delete to change or delete existing rules. 10.
Page 78: Procedure
Configuring the Probe Detection Module Procedure To configure the Network Sensor probe detection settings: Click the Network Policy View icon, and then the Network Policies tab. Expand the tree by clicking on the expansion symbol, and then select the custom policy name. The modules for that policy are displayed in the tree.
Page 79 Configuring the Probe Detection Module Specify the Sliding window length in seconds value, which is a limit value for the probe engine buffer. This option tells the Network Sensor how long (in seconds) it will collect unique network packets or events before evaluating the entire collection for sweeps and scans. Packets are collected for unique protocol, destination service, source IP address, and destination IP address values.
Page 80: Configuring The Protocol Analysis Module
Configuring the Protocol Analysis Module 10. Configure the Monitored Port Ranges table to specify which port ranges you want Network Sensor to consider when analyzing for port scans and sweeps. Enter a port number in the Beginning Port and End Port fields, then click Add. There are a variety of port scan and port sweep signatures that exist in normal network traffic.
Page 81: Dns Analysis Configuration
The Network Sensor converts these obscured requests into normal requests that can be matched with signatures. For in-depth examples, please read the paper on DNS IDS evasion that Judy Novak wrote for Enterasys Networks. The paper is located in the Whitepapers section on the Dragon web site: https://dragon.enterasys.com. Procedure To configure DNS Analysis settings: Click the Network Policy View icon and the Network Policies tab.
Page 82 Configuring the Protocol Analysis Module Expand DNS Analysis in the Protocol column. DNS analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. Verbose mode is disabled by default. When enabled, the sensor will log events when certain evasions occur.
Page 83 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 84: Ftp Analysis Configuration
Configuring the Protocol Analysis Module FTP Analysis Configuration The FTP protocol works by establishing a control connection and a data connection when data needs to be sent. The control connection can use Telnet commands that begin with the IAC byte (0xff).
Page 85 Configuring the Protocol Analysis Module FTP analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. Verbose mode is disabled by default. When enabled, the sensor will log events when certain evasions occur.
Page 86: Finger Analysis Configuration
Configuring the Protocol Analysis Module To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog box is displayed. Select the desired macro and click OK. Note: To display existing port macros and their definitions, or to add a new macro, click Default Network Sensor Settings in the Network Policies tab of the Network Policy View.See “Configuring Port Macros”...
Page 87 Configuring the Protocol Analysis Module Expand Finger Analysis in the Protocol column. Finger analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. Verbose mode is disabled by default. When enabled, the sensor will log events when certain evasions occur.
Page 88: H.225 Analysis Configuration
Configuring the Protocol Analysis Module b. Select the direction of the traffic to be analyzed and click OK. To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog box is displayed. Select the desired macro and click OK. Note: To display existing port macros and their definitions, or to add a new macro, click Default Network Sensor Settings in the Network Policies tab of the Network Policy View.
Page 89 Configuring the Protocol Analysis Module Procedure To configure H.225 Analysis settings: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Protocol Analysis Module in the tree.
Page 90 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 91: H.245 Analysis Configuration
Configuring the Protocol Analysis Module H.245 Analysis Configuration H.245 is also an ITU-T call signaling protocol that can be used in session establishment for Voice over IP (VoIP). The H.245 protocol analyzer verifies that capability exchange, command, request, and response messages are legal, as defined in the ITU-T H.245 specification. If any errors are found, then the H.245 protocol decoder raises an event [H245:INVALID-MESSAGE].
Page 92 Configuring the Protocol Analysis Module Verbose mode is disabled by default. When enabled, the sensor will log events. To enable it, click verbose in the Property column, then select yes from the drop-down list in the Value column. The sensor looks at traffic traveling in any direction on port 1722. To edit the existing port 1722 configuration, select that row in the table and click Edit Port.
Page 93: Http Analysis Configuration
Configuring the Protocol Analysis Module 10. To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog box is displayed. Select the desired macro and click OK. Note: To display existing port macros and their definitions, or to add a new macro, click Default Network Sensor Settings in the Network Policies tab of the Network Policy View.
Page 94 Configuring the Protocol Analysis Module Procedure To configure HTTP Analysis settings: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Protocol Analysis Module in the tree.
Page 95 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 96: Icmp Analysis Configuration
Configuring the Protocol Analysis Module ICMP Analysis Configuration The ICMP protocol is used by a variety of normal and hacker activities. Logging all of that activity generates a lot of information. You can configure ICMP Analysis settings to filter ICMP traffic and only log specific ICMP events by using the ICMP Log Elements section of the ICMP Analysis Settings window.
Page 97 Configuring the Protocol Analysis Module Procedure To configure ICMP Analysis settings: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Protocol Analysis Module in the tree.
Page 98 Configuring the Protocol Analysis Module Configure your filters in the ICMP Log Elements window. Click Add. The Add ICMP Log Element dialog box is displayed. Select the desired action, either ignore or log, from the Action drop-down menu. b. Enter the network source IP address using the following format: <IP address>/<mask>...
Page 99: Mgcp Analysis Configuration
Configuring the Protocol Analysis Module This example tells the sensor to log ICMP protocol unreachable messages, port unreachable ICMP packets, admin prohibited filter packets, IDRP router advertisements, and IDRP router selection messages. MGCP Analysis Configuration The Media Gateway Control Protocol (MGCP) was developed by the Internet Engineering Task force (IETF) organization.
Page 100 Configuring the Protocol Analysis Module Expand MGCP Analysis in the Protocol column. MGCP analysis is disabled by default. To enable it, click disable in the Property column, then select no from the drop-down list in the Value column. All of the MGCP analysis properties are enabled by default. To disable any of them, click the desired property in the Property column, then select no from the drop-down list in the Value column.
Page 101 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 102: Rip Analysis Configuration
Configuring the Protocol Analysis Module RIP Analysis Configuration These settings look for Routing Information Protocol (RIP) packets with a metric of zero or commands to enable route tracing. Metrics of zero are used by hackers to spoof routing information by means of the RIP protocol. Some versions of UNIX and routers also respond to RIP packets that ask them to trace or create a diagnostic log of route information.
Page 103 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 104: Rpc Analysis Configuration
For more details about this particular evasion and DoS attack, please read Randy Taylor’s explanation, which can be found in the Whitepapers section of the Dragon web site: https://dragon.enterasys.com • You can configure the sensor to watch only for specific RPC traffic, by configuring ignore and log rules in the RPC Log Elements area of the Analysis Settings window.
Page 105 Configuring the Protocol Analysis Module Expand RPC Analysis in the Protocol column. RPC analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. The any-port property is disabled by default. To cause the Network Sensor to attempt an RPC decode of every packet it sees, regardless of destination port, click any-port in the Property column, then select yes from the drop-down list in the Value column.
Page 106 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 107 Configuring the Protocol Analysis Module 10. To configure the sensor to watch only for specific RPC traffic, configure ignore and log rules in the RPC Log Elements table. Click Add to display the Add RPC Log Element dialog box. Select the desired action, either ignore or log, from the Action drop-down menu. b.
Page 108: Sip Analysis Configuration
Configuring the Protocol Analysis Module This example tells the sensor to log nfs (100003), lockd (100020), and ypupdated (100028) RPC traffic. SIP Analysis Configuration The IETF’s SIP protocol is used in initial session establishment and session teardown for Voice over IP (VoIP). The protocol decoder for SIP performs two functions. First, it verifies that the SIP message (consisting of the Request/Status line and a sequence of message headers) has the proper BNF syntax as specified in section 25 of RFC 3261.
Page 109 Configuring the Protocol Analysis Module Expand SIP Analysis in the Protocol column. SIP analysis is disabled by default. To enable it, click disable in the Property column, then select no from the drop-down list in the Value column. All of the SIP analysis properties are enabled by default. To disable any of them, click the desired property in the Property column, then select no from the drop-down list in the Value column.
Page 110 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 111: Smb Analysis Configuration
Configuring the Protocol Analysis Module SMB Analysis Configuration SMB analysis looks at the Server Message Block protocol (SMB) packets. You can choose to log SMB activity by NETBIOS session and login attempts. The Network Sensor can watch for certain types of NETBIOS traffic. This setting is useful for watching failed Windows file share mounting.
Page 112 Configuring the Protocol Analysis Module SMB analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. All of the SMB analysis properties are enabled by default. To disable any of them, click the desired property in the Property column, then select no from the drop-down list in the Value column.
Page 113: Snmp Analysis Configuration
Configuring the Protocol Analysis Module 10. To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog box is displayed. Select the desired macro and click OK. Note: To display existing port macros and their definitions, or to add a new macro, click Default Network Sensor Settings in the Network Policies tab of the Network Policy View.
Page 114 Configuring the Protocol Analysis Module Expand SNMP Analysis in the Protocol column. SNMP analysis is enabled by default. To disable it, click disable in the Property column, then select yes from the drop-down list in the Value column. Verbose mode is disabled by default. When enabled, the sensor will log events. To enable it, click verbose in the Property column, then select yes from the drop-down list in the Value column.
Page 115: Telnet Analysis Configuration
Configuring the Protocol Analysis Module b. Select the direction of the traffic to be analyzed and click OK. To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog box is displayed. Select the desired macro and click OK. Note: To display existing port macros and their definitions, or to add a new macro, click Default Network Sensor Settings in the Network Policies tab of the Network Policy View.
Page 116 Configuring the Protocol Analysis Module Procedure To configure Telnet Analysis settings: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Protocol Analysis Module in the tree.
Page 117 Configuring the Protocol Analysis Module Select the type of port to add or exclude, then enter the port number or low and high numbers for a range. Refer to Table 2-1 on page 2-8 for a list of common port numbers. b.
Page 118: Configuring The Snmp Trap Module
Configuring the SNMP Trap Module Configuring the SNMP Trap Module This module configures the parameters used by the Network Sensor when it sends SNMP traps to SNMP servers. When the sensor creates an SNMP trap, it can select a particular IP address to show up in the SNMP record.
Page 119: Configuring The Tcp State Module
Click Commit to add your changes to the policy being configured. Configuring the TCP State Module TCP State is a connection tracking mechanism that Enterasys IPS uses to flag packets that are not part of an established TCP session. This is particularly effective against certain attacks like “Stick”...
Page 120 The maximum value is 400,000 and the default value is 50,000. Enterasys recommends that you keep the default value unless there are more than 50,000 concurrent TCP connections visible on the network segment where the Network Sensor is deployed.
Page 121: Configuring The Transport Layer Module
Configuring the Transport Layer Module Configuring the Transport Layer Module This module defines logging actions for Transport Layer traffic. This module has ten tabs, described in the following sections. For information about... Refer to page... General Settings Tab 2-91 Stream Rebuilding Tab 2-94 Flags Tab 2-96...
Page 122 The checksum verification will only be applied to non-fragmented traffic. Fragmented packets will only be evaluated after Enterasys IPS has reconstructed the underlying IP packet. The value entered is used to indicate how often this test should be carried out. For example, a value of 5 checks every 5th packet.
Page 123 10. Selecting the Trust option Selecting tells the sensor not to check for TCP sequence and acknowledgement numbers, including checks on the sequence number in RST packets attempting to shut down TCP connections. Enterasys recommends that you leave this option disabled.
Page 124: Stream Rebuilding Tab
If a UDP or TCP session is rebuilt and an event occurs, that event will have a tcp-stream or udp-stream message in its event message data. Note: These settings are rarely customized, and Enterasys recommends that you do not change the default values on this tab.
Page 125 Configuring the Transport Layer Module Click the Stream Rebuilding tab. The Enable Stream Building parameter must be selected, to enable this feature. Select Force Rebuild to allow the Network Sensor to continue stream reassembly (for example, Telnet sessions) even if an individual packet has been logged as an event. Typically, the Network Sensor will not continue stream reassembly if one of the packets triggers an event due to the overhead processing involved.
Page 126: Flags Tab
– maximum —approximately 40,000 simultaneous sessions 13. The Session Window Size specifies the size of the buffer into which Enterasys IPS reassembles data for each TCP session. Therefore, it is the number of rebuilt bytes of application session data that the Network Sensor will send to the pattern matching engine for each TCP session.
Page 127: Log Syn Tab
Configuring the Transport Layer Module Click the Flags tab. To create a new flag combination, click New to display the Edit Flags dialog box. Select the desired flags and click OK. The new flag combination is added to the Flags table. To edit an existing combination, select that row in the Flags table, then click Edit to display the Edit Flags dialog box.
Page 128 Configuring the Transport Layer Module Procedure To configure logging of TCP session requests: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Transport Layer Module in the tree.
Page 129: Log Session Tab
Logging occurs if the source or destination IP address and port matches the particular logging rule. Once captured by Network Sensor, there are several Enterasys IPS Forensics reporting tools that can play back multiple recorded sessions. Events of this type are logged with the [SESSION] name.
Page 130 Configuring the Transport Layer Module Procedure To configure Log Session rules: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Transport Layer Module in the tree.
Page 131: Log Start Stop Tab
Configuring the Transport Layer Module Examples The following example shows three rules that tell the sensor to log all 10.100.100.10/32 traffic except SSH and DNS traffic. This example tells the sensor to log all Telnet traffic. This example tells the sensor to log all POP email traffic for network 24.3.19.0/24. Log Start Stop Tab Use the Log Start Stop tab settings to tell the sensor to log or ignore TCP session starts and stops.
Page 132 Configuring the Transport Layer Module Procedure To configure Log Start/Stop settings: Click the Network Policy View icon and the Network Policies tab. Expand the tree by clicking the expansion symbols and select the desired custom policy name. The modules for that policy are displayed in the tree. Click the Transport Layer Module in the tree.
Page 133: Log Destination Tab
Configuring the Transport Layer Module Example The following example shows six rules. The first four tell the sensor to ignore all SMTP (port 25), DNS (port 53), Web (port 80), and SSL (port 443) traffic. The fifth rule says to ignore all traffic coming to/from 10.100.100.10/32.
Page 134 Configuring the Transport Layer Module Click Add to add a new rule. The Transport Layer Log Destination dialog box is displayed. Select the desired Action, either log or ignore. Enter the destination IP address or CIDR block for the rule using the following format: <IP address>/<mask>...
Page 135: Log Server Tab
Configuring the Transport Layer Module This example tells the sensor to ignore web traffic to four web servers on the local network but to log any other web traffic on the network. Log Server Tab The Log Server settings help find illegal TCP services by looking for Syn-Ack packets coming from protected hosts.
Page 136 Configuring the Transport Layer Module Click Add to add a new rule. The Transport Layer Log Server dialog box is displayed. Enter the destination IP address or CIDR block for the rule using the following format: <IP address>/<mask> Select the appropriate IP version checkbox. Network masks can range from 0-32 for IPv4 and 0-128 for IPv6.
Page 137 Configuring the Transport Layer Module Examples Assume that there are three web servers on the local network, 10.10.10.1 through .3. The following example shows four rules that tell the sensor to not alert on port 80 Syn-Ack packets from those three IP addresses but to log Syn-Ack packets from port 80 from any other IP address on the local network.
Page 138: Log Syn Pattern Tab
Configuring the Transport Layer Module Log Syn Pattern Tab Some suspicious network activities, such as TFN 2000, send data in TCP Syn packets. It is perfectly legal for TCP sessions to send data in Syn and Syn-Ack packets, but it rarely occurs. To search all TCP Syn packets for a specific pattern, use the Log Syn Pattern tab to create rules that specify a list of event names and data patterns to look for in each Syn packet that has a data payload.
Page 139: Log Pairs Tab
Configuring the Transport Layer Module Click Edit or Delete to change or delete existing rules. 10. Click Commit to add your changes to the policy being configured. Example The first rule causes an [EXAMPLE] event to be generated when “example” is matched. The second rule causes an [EXAMPLE2] event to be generated when “////”...
Page 140 Configuring the Transport Layer Module Click Add to add a new rule. The Transport Layer Log Pairs dialog box is displayed. In the Event Name field, specify the name of the event that should be generated when this Log Pairs rule is matched. You can specify any name you want for this event. The name can be any combination of characters, excluding spaces, up to a maximum of 63 characters.
Page 141 Configuring the Transport Layer Module • Generate an [FTP-SP-WEB] event when source porting FTP-DATA to connect to a web server is detected • Generate an [FTP-SP-IMAP] event when source porting FTP-DATA to connect to imap is detected Creating Network Sensor Policies and Signatures 2-111...
Page 142 Configuring the Transport Layer Module 2-112 Creating Network Sensor Policies...
Page 143: Chapter 3: Creating Network Sensor Signatures
Creating Network Sensor Signatures Enterasys Intrusion Prevention System ships with a comprehensive set of vulnerability and exploit-based signatures. In addition, Enterasys continually provides signature updates with the Live Update feature. The predefined signatures are organized in Master Libraries, which can be viewed from the Signature Libraries tab in the Network Policy View.
Page 144: Suspicious Traffic
Signature Overview A good example of this is the PHF attack. Normally, an attack against older web servers could be accomplished by sending specially formatted argument strings to the /cgi-bin/phf program which, at one point, shipped with many common web servers. There are hundreds of permutations which may all be based on the /cgi-bin/phf program and each of these attacks or probes reference that URL.
Page 145: Tips For Creating Signatures
TFTP is another type of protocol used in the management of routers and phone switches. Using Enterasys IPS to watch for any traffic to these devices that is not from a known or trusted source may turn up a variety of interesting traffic.
Page 146 Off-Port Servers Enterasys IPS signatures can be written to look for almost any service on the wrong port. A common hacker (or malicious administrator) technique is to run services such as HTTP, FTP, and SSH on ports other than their standard port number. For example, many WAREZ FTP servers run on TCP port 69.
Page 147: Creating Custom Signature Libraries
Enterasys IPS can be used to look for traffic destined for particular IP addresses or network services that do not exist. For example, with ICMP, Enterasys IPS can be configured to look for external network PING attempts to some hosts that do not exist. This is a good way to find external probes and slow scans.
Page 148: Creating A Custom Library
Creating Custom Signature Libraries Creating a Custom Library To create a custom library: Click the Network Policy View icon, then click the Signature Libraries tab and expand the Master Libraries list. The existing list of Master Libraries is displayed. In the tree, right-click Custom Libraries and select Add Custom Signature Library. The Signature Library Creation Wizard window appears.
Page 149 Creating Custom Signature Libraries Select one of the following methods of library creation: To create an empty library, select Create an empty signature library, then click Finish. Your custom library is created and listed under Custom Libraries in the tree. Go to “Creating Custom Signatures”...
Page 150: Copying Existing Signatures Into A Custom Library
Creating Custom Signature Libraries Copying Existing Signatures Into a Custom Library After you create your custom library, whether you have created an empty library or created one based on existing libraries and signatures, you can copy signatures from other libraries into your custom library.
Page 151: Using The Signature Filter Dialog
Creating Custom Signature Libraries Select the desired signatures from the list in the right-hand panel and click Copy to Library. The Copy Signatures to Libraries window displays. Select the custom library in the left pane to which you want to copy the signatures, then click the yellow arrow (pointing right) to move that library to the right pane and click OK.
Page 152 Creating Custom Signature Libraries Select Filter Signatures, then click the Filter Settings button. The Signature Filter Dialog window is displayed. Signature Name Contains: If you want to filter based on signature name, enter any text characters contained in the signature name. For example, if you wanted to display all the signatures in the APPS Master Library that look for Chat traffic, you could enter WHOIS in this field.
Page 153 Creating Custom Signature Libraries Signature Protocol Contains: Signatures can be applied against any IP protocol. If you want to filter based on specific protocol the signature applies to, enter the character T to specify TCP, U to specify UDP, or I to specify ICMP. Enter the protocol number to specify any other IP protocol.
Page 154: Creating Custom Signatures
Creating Custom Signatures 16. Modified before or after: You can filter based on the date the signature was modified. Select either before or after, then enter the date in yyy-mm-dd format, or click the Choose button to display a calendar from which you can select a date. 17.
Page 155 Creating Custom Signatures Select the desired custom library. The display area is populated. Select your editing method: – To add a completely new signature to the library, click Add. – To add a new signature based on an existing signature in the library, select the signature in the Signature Library Properties panel, then click Copy.
Page 156: Configuring Basic Signature Properties
Creating Custom Signatures The Signature Property Settings window displays. Note that there are two main tab pages, Basic and Extended. You will need to access the Extended tab page only if you are creating or editing a signature that uses the extended signature language.
Page 157 Creating Custom Signatures Basic Settings Tab To configure the options on the Settings sub-tab page: In the Enable group, select: – Signature in Library to enable the signature being configured after configuration is complete. – Follow on Signature to create a follow on signature. Follow on signatures are only evaluated when dynamic packets have been collected as a result of a match by another signature or policy.
Page 158 Creating Custom Signatures If desired, assign a severity to the signature from the Score pull-down menu. The score can be used by a Security Information Manager (SIM) such as the Enterasys Security Information and Event Manager. Select the Event Group to assign the signature from the Classification drop-down list. For...
Page 159 Creating Custom Signatures In the Signature Port group, specify the port or ports to which the signature applies. – To specify a single port, select Port and enter the port number. Refer to Table 2-1 page 2-8 for a list of common port numbers. –...
Page 160 Creating Custom Signatures Select the Reference Type from the pull-down menu. The choices are: – BUGTRAQ – – NESSUS – CERT – URLREF Enter the reference text in the Reference field. Click OK. The reference is added to the References table. Select an existing reference in the table, then click the Edit button to edit an existing reference or click the Delete button to delete an existing reference.
Page 161 Creating Custom Signatures Wild Cards There are four available wild card characters—the question mark (?), the asterisk (*), the dollar sign ($), and the point sign (#). All wild cards represent a single byte that may be used to represent the following ranges: ? –...
Page 162 Creating Custom Signatures Select the signature type from the Signature Pattern Type pull-down menu: – standard — A standard signature uses one pattern string. – combo — A combination signature uses two patterns. If the pattern defined in the Pattern field is found, the signature continues to search for the pattern defined in the Alternate Pattern field.
Page 163: Configuring Extended Signature Properties
Configuring Extended Signature Properties The Extended tab allows you to configure the features of the new signature language introduced in Enterasys IPS v7.2. These features include full Perl compatible regular expression support, communication of state information across signatures, per-signature thresholding, enhanced packet header tests, and more.
Page 164 It should be noted that the flow tag test can apply to Enterasys IPS signatures that just match against packet headers and do not contain application layer tests. However, typically flow tags are most useful for those signatures that do match against packet payload data.
Page 165: Setting Event Limits
IP mostly likely indicates a brute force password cracking attempt. As with flow tags, event limits can also apply to Enterasys IPS signatures that do not contain application layer tests, but in general this feature is most useful for those signatures that do match against packet payload data.
Page 166 Creating Custom Signatures a{1,10}__b{1,10}__c{1,10} Note: In general, if you know the exact format of the content you are trying to match (including the proper number of spaces), use the Extended Pattern type. For any data that may be variable, use PCRE.
Page 167 Creating Custom Signatures Extended Pattern The extended signature language contains an expanded variation for the original definition of a pattern on which to search. This new definition allows such a pattern to take into account URL-encoded data with the URI Decode attribute. It still follows the same “/0a” notation used for Basic signatures for specifying hex codes to search for in network traffic (described in “Specifying Signature Pattern...
Page 168 Creating Custom Signatures Payload Test The Payload Test type of matching allows Enterasys IPS to specify a set of bytes within packet data and then run various arithmetic tests against the values those bytes represent. This is a powerful feature since such operations can be difficult to duplicate within PCRE (or other) tests.
Page 169 Creating Custom Signatures Payload Jump The Payload Jump type of matching allows Enterasys IPS to use values within packet data as the input to the number of bytes to jump further into the packet for additional payload tests. This is an important feature for protocols that use variable length fields.
Page 170: Extended Settings Tab
Creating Custom Signatures Extended Settings Tab To configure the options on the Extended Settings sub-tab page: In the Signature Property Settings window, click the Extended tab page, then click the Settings tab. Source IP Address (CIDR): Enter the source IP address to match using the following format: <IP address>/<mask>...
Page 171 Creating Custom Signatures Destination Port: Enter the destination port or ports to match. – To specify a single port, select Port and enter the port number. Refer to Table 2-1 page 2-8 for a list of common port numbers. Valid values range from 0 to 65536. –...
Page 172: Network Layer Tab
Creating Custom Signatures Select the desired Action: define — When this signature matches, set the flow tag. test-defined — Evaluate this signature if the flow tag has already been set. test-not-defined — Evaluate this signature if the flow tag has not been set. clear —...
Page 173 Creating Custom Signatures TTL — The value of the 8-bit Time To Live (TTL) field in the IP header exhibits a high degree a variation from OS to OS, and programs such as traceroute (which set artificially low TTL values) can be used to assist in the network mapping process. You can specify: –...
Page 174: Transport Layer Tab
Creating Custom Signatures Frag — Select from the drop-down menu to match on packets that have the MF (More Fragments) bit set, the DF (Don't Fragment) bit set, or the RB (Reserve) bit set. – Match Specific — The signature will match if any of the Frag options exist in the packet. If Match Specific is not selected, then the signature will match only if the packet contains the specified Frag option and no others.
Page 175 Creating Custom Signatures Sequence — This feature allows Enterasys IPS to match TCP packets that contain a specific Sequence number (or range of Sequence numbers). Some port scanners automatically hardcode the TCP Sequence number in SYN packets they generate, so matching these numbers in network traffic can be an effective mechanism for detecting such activity.
Page 176 Flow — Specifies that Enterasys IPS should generate an event only if the corresponding TCP session is in the specified state. For example, to force a signature to match only if a packet has emanated from the server side of an established TCP session, you would select a direction of source-server and a state of established.
Page 177 Select the Extended tab, then the Transport Layer tab. The following figure shows the ICMP sub-tab page. Type — This feature allows Enterasys IPS to match against the 8-bit Type field in the ICMP header. Technically the ICMP protocol is strictly a network layer protocol, but in practice ICMP is commonly designated as belonging to the Transport layer by intrusion detection systems.
Page 178: Application Layer Tab
Creating Custom Signatures ID — Configures Enterasys IPS to match network traffic against the 16-bit ID field in the ICMP header. Some ICMP scanners hardcode this value. – Minimum Type value to match. Valid values range from 0 to 66536. If you are specifying a single value, enter the same value in the Maximum field also.
Page 179 Creating Custom Signatures Payload Size — These settings allow you to configure a signature to match only if the payload portion of a packet matches the search criteria specified by the Payload Size options. Use these settings to check for abnormally sized packets, or to detect buffer overflows. –...
Page 180 For example, if you set distance = 8 and within = 4 in the same match element, this tells Enterasys IPS to start searching for the pattern after 8 bytes from the end of the previous pattern AND the newly searched pattern must be within 4 bytes from the start of a match.
Page 181 Creating Custom Signatures – URI Decode — Tell the sensor whether or not to decode the pattern before being sent through the pattern matcher. That is, application layer data in packets that contain encoded characters such as "%2f" are normalized to contain their ASCII equivalent ("%2f" = "/") before the signature comparison is made.
Page 182 Creating Custom Signatures – Match Negative — Matches the signature if the Pattern specified is not found within the packet payload data. – URI Decode — Tells the sensor to decode the payload before being sent through the pattern matcher. That is, application layer data in packets that contain encoded characters such as "%2f"...
Page 183 Creating Custom Signatures – Jump — Specifies the number of bytes to jump into the payload before starting processing. Valid range is 0 to 1514 bytes. If Relative to Previous is selected, this value is an offset from the previous match. –...
Page 184 Align — Update the tracking pointer to the nearest full byte boundary. – String Data —Select this option to tell Enterasys IPS to interpret the value read from the packet/payload as a number represented in ASCII, meaning Enterasys IPS will convert it into an integer automatically.
Page 185: Creating Custom Event Groups
Creating Custom Event Groups Creating Custom Event Groups In the Enterasys IPS Realtime reporting tools, generated events are organized by Event Groups, which are the same as the names of the Master Libraries. So for example, an AFS:OVERFLOW- TCPDUMP event will be associated with the ATTACKS Event Group. You can use Event Groups as one way to filter event reporting.
Page 186: Example Of Signature Creation
Example of Signature Creation IRC:DCC4 IRC:DCC5 stop Custom-Apps Example of Signature Creation A database server in the core of your network contains complete customer profiles and the complete history of their business dealings with your company. There is a web interface to the database (making it easy for your sales force to manage accounts).
Page 187 Example of Signature Creation Figure 3-2 Normal Login Figure 3-3 Administrator Login Creating Network Sensor Policies and Signatures 3-45...
Page 188 Example of Signature Creation Comparing these two traces, you can see that once you are logged in, all your transactions have a user ID attached to them. Your user ID is 85. The Administrator user ID is 1. Without even realizing it, we have already completed two of our three tasks - identify when someone is accessing the web page, and when they are using Administrator.
Page 189 We are looking at web traffic (port 80) – however, we are looking destination for traffic going from the client to the server. This tells Enterasys IPS we are looking for the string going TO the port listed later. This setting is used for performance reasons, in addition to limiting false positives.
Page 190 String banner will look a certain way every time so we could use “Binary” telling Enterasys IPS to “look for the string 'exactly' as I type it.” Since we are looking for traffic coming from a user, we cannot implicitly trust it as easily as if it came from a server. A user can easily take steps to hide their activities.
Page 191 String banner will look a certain way every time so we could use “Binary” telling Enterasys IPS to “look for the string 'exactly' as I type it.” Since we are looking for traffic coming from a user, we cannot implicitly trust it as easily as if it came from a server. A user can easily take steps to hide their activities.
Page 192 Since the server will be closing the connection after sending the failure page, there is no need to dynamically log follow-on packets. Enterasys IPS only does this on a per-session basis, but the session will be ending immediately. Additionally, since the login failed, the end-user will not be able to perform any action of forensic value (in this case).
Page 193 The heading on the failure page should be sufficient for the /20NOT/20AUTHORIZED/2 purpose of identifying failed logins. The string appears as “NOT AUTHORIZED” in the packet dump. Since we are doing a “Binary” search, Enterasys IPS will only look for an all caps instance of the string. alt-pattern overflow...
Page 194 Example of Signature Creation 3-52 Creating Network Sensor Signatures...
Page 195: Appendix A: Keywords/Xml Attributes
Keywords/XML Attributes 6.x to 7.x Mappings The underlying configuration mechanisms were revised for Enterasys IPS 7.0. For users who do not want to use the GUI, or who just want to understand the new XML configuration, a mapping table is provided.
Page 196 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description BROADCAST The Network Sensor can be configured to watch NSC/SC/C/NetworkLayer/Broadcast for packets with strange broadcast destination addresses. These packets are most likely denial of service attacks, network probes or malfunctioning routers.
Page 197 6.x Keyword 7.0 XML Attribute Description COMPLEX As a design goal of the Enterasys IPS Sensor, it NSC/SC/C/PortMacro was desired to allow users to specify ‘port macros’ where one signature would be applied across several ports or a complex range of ports.
Page 198 'dragon.sigs' as they are loaded when it is first started. It is useful for diagnosing incorrect configuration file errors. This setting will not work when the Enterasys IPS Sensor is run as a background process. This setting is not available through the Enterasys IPS Server management interface and is reserved for diagnostics and troubleshooting.
Page 199 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description DESTINATION NSC/SC/C/TransportLayer/LogDestination The Network Sensor has the ability to create virtual honeypots, which look for traffic attempting to reach nonexistent hosts. The assumption is that remote network probes will not know the topology of the target network and will attempt to talk to services, which are not...
Page 200 Technical Notes DNSAnalysis looks at both UDP and TCP traffic. For in-depth examples, please read the paper on DNS IDS evasion. The paper is located at: https://dragon.enterasys.com/wp/ DNS_Evasion.pdf A-6 Keywords/XML Attributes...
Page 201 The Network Sensor searches packets for distinct trademarks of specific denial of service tools that are in use and freely available. The following is the list of Enterasys IPS Events that are created by this keyword, and the associated tool(s) that trigger them.
Page 202 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description DRAGON_FILTER To reduce false positives, this statement can be NSC/SC/C/DragonFilter used to eliminate events based on a combination NSC/SC/C/DragonFilter/event of source and destination IP addresses, the IP NSC/SC/C/DragonFilter/filter protocol and the source and destination TCP/ UDP ports or ICMP type.
Page 203 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description DRAGON_FILTER Any of these rules can be strung together to make more complex rules. When piecing filter (continued) statements together, the keywords and, or, and not are used.
Page 204 Enterasys IPS events, which can be shot down via TCP resets or ICMP port unreachable packets. All event names must be enclosed in square brackets, just like in the output of most of the Enterasys IPS analysis tools. Technical Notes •...
Page 205 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FAST_READ For Linux systems, this enables "TurboPacket" NSC/Device/turbo (defunct) mode. This is a high-performance method of NSC/Device/bufmod (defunct) moving packets from the kernel to the application.
Page 206 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FAVOR_OLD When IP fragments are reassembled, it is NSC/SC/C/NetworkLayer/favor-old possible for a hacker to generate traffic that overwrites itself. Imagine a single packet split into two fragments.
Page 207 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FLAGS To detect a variety of TCP flag probes (Fin-Syn NSC/SC/C/TransportLayer/Flags scanning, remote OS detection, etc.), Network Sensor can be configured to look for a variety of unusual TCP flag combinations.
Page 208 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FRAG Network Sensor can watch for any fragmented NSC/SC/C/NetworkLayer/LogFrag packets and log them. On most networks, fragments do not occur a majority of the time. When they do happen, they are usually small in number and due to a poorly performing network or the result of hacker traffic.
Page 209 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FRAG0 Configures the Network Sensor to decode any NSC/SC/C/NetworkLayer/small-frag-no-tcp-flags TCP fragments with an IP fragment offset of zero. Offsets of zero occur naturally on some networks, but also occur when hackers want to artificially create fragmented packets for Syn scanning, bypassing of firewalls and other...
Page 210 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FRAG1 Similar to “NSC/SC/C/NetworkLayer/small-frag- NSC/SC/C/NetworkLayer/small-frag-with-tcp-flags no-tcp-flags” on page A-15, except that it makes the Network Sensor look for TCP packets with a fragment offset of 1.
Page 211 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description FTP is a switch that tells Network Sensor to NSC/SC/C/FTPAnalysis/port-request-check decode TCP port 21 packets and streams that specify a port command for file transfer. The decode extracts the command string which is of the form port x,x,x,x,p,p where x,x,x,x is the destination IP address and p,p is the destination...
Page 212 UDP and ICMP packet counts as well as an event count and a dropped packet count for BSD systems. The HEARTBEAT message is used by the Enterasys IPS Policy Manager to indicate a live Enterasys IPS Sensor and keep the icon for the sensor green. A-18 Keywords/XML Attributes...
Page 213 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description ICMP The ICMP protocol is used by a variety of normal NSC/SC/C/ICMPAnalysis/LogICMP and hacker activities. Logging all of it generates a lot of information. The Network Sensor has the ability to filter ICMP traffic and only log specific ICMP events.
Page 214 IDSCONSOLE Deprecated As IP fragments and TCP sessions are recreated, the attribute causes the Enterasys IPS Sensor to print out any problems it encountered during reconstruction of network traffic. Not all IDS avoidance techniques will result in a print out, but most will. There is a...
Page 215 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IGNORE_DPORT Similar to “NSC/SC/C/ApplicationFilter/ NSC/SC/C/ApplicationFilter/IgnorePort (w/ direction) IgnorePort/port” on page A-22, except that it ignores packets based on destination port only. These rules also apply to UDP and TCP packets. Technical Note Using this rule, up to 32 ports can be ignored.
Page 216 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IGNORE_PORT NSC/SC/C/ApplicationFilter/IgnorePort/port Used to ignore specific ports for UDP and TCP traffic. UDP and TCP packets that have a source or destination port equal to one of those listed here are ignored.
Page 217 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IGNORE_PROTO Used to to ignore a specific IP protocol. NSC/SC/C/ApplicationFilter/IgnoreProtocol Protocols are specified by their number (6 for TCP, 17 for UDP, etc.). Any IP traffic of the protocols listed here are ignored.
Page 218 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IGNORE_PS Some networks have traffic that may look like a NSC/SC/C/ApplicationFilter/IgnoreProbe port scan or a port sweep, but the traffic should be ignored. Consider a web browser, which visits a web server on port 80.
Page 219 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IIS_UNICODE_DECOD When enabled, Network Sensor interprets NSC/SC/C/HTTPAnalysis/iss-unicode Unicode representations the way that IIS does. In brief, there are four things that IIS interprets which are against Unicode and URI standards: •...
Page 220 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IPCHECK Purposely crafted IP packets with bad NSC/SC/C/NetworkLayer/checksum checksums can fool packet-based IDS devices into accepting packets that a destination host would reject. This keyword is used to validate the IP checksums of packets that are directed at “NSC/SC/C/ProtectedNetwork”...
Page 221 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IPREGEX IP and TCP headers can be searched for a NSC/SC/C/HeaderSearch specific string of data. These rules identify a start byte and a stop byte in the header of either IP or TCP traffic.
Page 222 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description IP_OPTIONS A variety of IP options can be recorded based on NSC/SC/C/NetworkLayer/LogOptions option type and source IP. The Network Sensor uses this to specify a list of rules that ignore or record IP packets with options.
Page 223 It records this event to the 'dragon.sys' file. Analysis of these events can help measure the overall impact on the Enterasys IPS Sensor performance. The total time of evaluation is recorded. Users should consider how long the port scan analysis is taking and how often.
Page 224 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description LONGWEBURI A common IDS evasion tactic for web requests is Deprecated to split up a web URI over several packets. This tactic prevents the IDS from looking at the URI as a whole.
Page 225 6.x Keyword 7.0 XML Attribute Description NAME Specifies the name of a particular Enterasys IPS NSC/SC/name Sensor. A name must be specified in each dragon.net configuration file, or the Enterasys IPS Sensor will exit. This name is used to identify entries in log files.
Page 226 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description PERF_LEN Displays the packet count by length. NSC/PerformanceReport/packet-length Technical Notes • Requires “NSC/PerformanceReport” on page A-33, and either the “NSC/PerformanceReport/packets” on page A-32 or “NSC/PerformanceReport” on page A-33.
Page 227 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description PERF_STATS Instructs the sensor to report performance data NSC/PerformanceReport to the dragon.log file. Technical Note This must be used in conjunction with “NSC/PerformanceReport/packets”...
Page 228 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description PORTSCANS Configures the Network Sensor to collect distinct NSC/SC/C/ProbeDetection/hosts-per-port network traffic for a certain number of packets, NSC/SC/C/ProbeDetection/ports-per-host then evaluate the collected traffic for port scans NSC/SC/C/ProbeDetection/max-threshold or port sweeps.
Page 229 • Consider super classing CIDR blocks where possible to increase the efficiency of the Network Sensor. • Enterasys IPS allows for a maximum of 24 protected networks. PROTO Used to log packets based solely on IP protocol. NSC/SC/C/NetworkLayer/LogProtocol Events of this type are named [PROTO].
Page 230 NSC/SC/C/verbose The new algorithm that is used by “NSC/SC/C/ProbeDetection/hosts-per-port” on page A-34 enables the Enterasys IPS Sensor to specify an ordered list of the information used to generate an alert. For a port scan, it instructs the sensor to provide a list of all of the ports that were probed.
Page 231 Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description RBLOG Instructs the Enterasys IPS Sensor to write to a NSC/SC/C/Logging/ring-buffer shared memory ring buffer. This option is required for the Enterasys IPS architecture. Technical Note This option requires the command line argument '-f' and the local 'dragon.cfg' file.
Page 232 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description REPEAT Specifies the number of similar events that will NSC/SC/C/Logging/Repeat/threshold occur before Network Sensor will stop reporting the new events. When the next different event occurs, the amount of previous duplicate events will be recorded.
Page 233 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description Configures Network Sensor to watch for specific NSC/SC/C/RPCAnalysis/LogRPC RPC traffic. The Network Sensor watches for RPC traffic on port 111 and in the upper Solaris range of 32771-32800.
Page 234 RPC protocol. For more details about this particular evasion and DOS attack, please read Randy Taylor’s explanation, which can be found at: https://dragon.enterasys.com/wp/ RPC_Evasion.pdf A quick overview of the IDS evasion tactic used is as follows. Within TCP-based RPC communication, the RPC protocol has a concept of fragmentation.
Page 235 The current events are: [RPC:NOOP-ATTACK] [RPC:PROTOCOL-EVASION] Technical Notes • For details on how these evasions work, refer to the “NSC/SC/C/RPCAnalysis” on page A-2, or the Enterasys whitepaper written by Randy Taylor at: https://dragon.enterasys.com/wp/ RPC_Evasion.pdf • This feature requires “NSC/SC/C/RPCAnalysis” on page A-40. RPC_ANYPORT...
Page 236 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SERVER Used to help find illegal TCP services by looking NSC/SC/C/TransportLayer/LogServer for Syn-Ack packets coming from protected hosts. Typically, we can do this by looking for services above 1024 with the exceptions of ports like 2049 and 6000.
Page 237 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SERVER For network 10.100.100.0/24, the following NSC/SC/C/TransportLayer/LogServer (Continued) example shows what it would be to ignore that traffic and log any new active TCP services. Network Sensor can be configured to look for Syn-Ack packets coming from outside your network on very high ports.
Page 238 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SESSION_WINDOW Allows the user to configure the number of bytes NSC/SC/C/TransportLayer/StreamRebuilding/session- window-size that the Network Sensor will reconstruct in an application session. This is a very important aspect when fragmentation/session reassembly is considered.
Page 239 This feature is only available on Ethernet sensors. • Sniper can also be applied when running in IPS mode. • The maximum number of sniper rules that can be entered into the Enterasys IPS configuration is 32. Creating Network Sensor Policies and Signatures A-45...
Page 240 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SNIPERQUEUE The active response capability of the Network NSC/SC/C/ActiveResponse/SniperQueue Sensor has been expanded to include reactions to accumulated events. The intention of this feature is to prevent ‘brute-force’...
Page 241 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SNMPCONVERT Provides the Network Sensor with the ability do NSC/SC/C/SNMPConvert quick SNMP protocol decodes. The evasion consists of obscuring the Object Identifier in an SNMP packet.
Page 242 This variable is more commonly known as the OID. Technical Note By default, the OID is 1.3.6.1.4.1.4471 (which is the registered OID for Enterasys IPS). SNMP_SERVER The Network Sensor can be configured to send NSC/SC/C/SNMPTrap/ip;NSC/SC/C/SNMPTrap/port SNMP traps for every detected event. These SNMP traps contain data similar to what is printed out in the one-line mklog format.
Page 243 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description STATIC Used to log all packets from a particular network NSC/SC/C/NetworkLayer/LogStatic or IP address. This attribute must be followed by a list of IP addresses or CIDR mask and a unique name to be associated with the static rule.
Page 244 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description SYN-BOMB To detect Syn bombs, the Network Sensor NSC/SC/C/TransportLayer/syn-bomb-threshold counts the number of TCP packet types entering and leaving the protected networks. Every time it sees a Syn packet, a counter is incremented.
Page 245 Technical Note The maximum number of rules is 6. SYSLOG_ONLY This keyword instructs the Enterasys IPS Sensor NSC/SC/C/Logging/syslog-only to log output and debugging information to the system log rather than to stdout or a file. TCPCHECK...
Page 246 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description TCPCHECK_VERBOS This keyword is identical to NSC/SC/C/TransportLayer/tcp-checksum-verbose NSC/SC/C/TransportLayer/tcp-checksum, except that it logs events. The current logged event is: [BAD-TCP-CKSUM] TCPOPTS Configures the Network Sensor to look for any NSC/SC/C/TransportLayer/tcp-options-check packet with TCP options that has a zero length TCP option or a post EOL TCP option.
Page 247 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description TCP_ECM For the [TCP-FLAGS] event which occurs for NSC/SC/C/ActiveResponse/tcp-ecm TCP flag combinations specified by NSC/SC/C/TransportLayer/Flags in the dragon.net file, the Network Sensor can emit random packets which confuse network scanners using the TCP protocol.
Page 248 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description TCP_ECM The Network Sensor will send four different random responses to the target server. Each (continued from previous page) packet will have the correct source port and IP address reversed.
Page 249 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description TELCONVERT The Telnet protocol, as defined by RFC 854 and NSC/SC/C/TelnetAnalysis companion RFCs, allows for in-band command communication. Therefore, it is possible to embed Telnet commands into the character stream to obscure an attack.
Page 250 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description Configures the Network Sensor to record any NSC/SC/C/NetworkLayer/log-ttl packet with an IP time-to-live value less than or equal to the single required argument. The intent here is to record traceroute packets as well as attempts to bypass intrusion detection systems with small TTL settings.
Page 251 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description UNICODEV2_DECODE There are two attributes that allow Unicode NSC/SC/C/HTTPAnalysis/Unicode decoding: Unicode and IIS_UNICODE_DECODE. Unicode was designed for web servers that adhere to the Unicode standard.
Page 252 6.x to 7.x Mappings Table A-1 6.x to 7.0 Keyword Mapping (continued) 6.x Keyword 7.0 XML Attribute Description VLAN_802_1Q For the Network Sensor to correctly collect Deprecated packets on an 802.1q segment, this option must be enabled. Packets conforming to 802.1q have an additional 4 bytes that need to be excluded to get to the IP header.
Page 253 (PACKETLOG and ALARMLOG options), using Deprecated will ensure that the directory names will have the 4-digit year. This is required for the Enterasys IPS 5.x architecture. Technical Note For backward compatibility, this must not be used in the Enterasys IPS 4.x architecture.
Page 254: Network Sensor Signature Fields
Network Sensor Signature Fields Network Sensor Signature Fields Network Sensor Signatures have been modified to utilize XML configuration. The concept of Fields are mapped to XML attributes in Table A-2. Table A-2 Signature Attributes XML Element/Attribute Pre-7.0 #/Name Signature Element Protocol Field 1: Protocol service-direction...
Page 255: Host Sensor Mappings
Host Sensor Mappings Host Sensor Mappings The signature format and general Host Sensor configuration has been greatly modified and now utilizes XML configuration. It is not recommended to try to map 7.0 items to pre-7.0 items for the Host Sensor. Agent Mappings Agents now utilize XML configuration.
Page 256 Agent Mappings A-62 Keywords/XML Attributes...
Page 257: Index
Ignored Probe settings 2-16 described 1-14 Enable Large Fragment 2-37 HTTP BETA event group, description 1-11 Enterasys Network Sensor 2-63 email address support URL CGI-BIN attack program toll-free phone number ICMP 2-66 searching 2-34 ICMP backdoor settings...
Page 258 2-20 NULL_IP keyword A-31 LOCALHOST keyword A-29 2-51 dynamic analysis 2-28 broadcast finger 2-56 Network Sensor 2-46 2-54 for Enterasys IPS A-48 destination H225 2-58 Overflow signatures 3-20 Network Sensor 2-103 H245 2-61 frag header search 2-29 Network Sensor 2-41,...
Page 259 2-95 Network Sensor 2-83 Reconstruct sessions 2-94 country-specific toll-free phone SNMP signature Reference type 3-17 number with SNMPCONVERT repeat tracking Enterasys support keyword A-47 configuring 2-32 SNMP Trap analysis description 2-32 Network Sensor 2-88 Version support Reserved bit 2-36...
Page 260 Index-4...

Enterasys Intrusion Prevention System Manual

About this Guide

Chapter 1: Network Sensor Overview

Chapter 2 : Creating Network Sensor Policies

Chapter 3: Creating Network Sensor Signatures

Appendix A: Keywords/Xml Attributes

Index

Quick Links

Need help?

Questions and answers

Related Manuals for Enterasys Intrusion Prevention System

Summary of Contents for Enterasys Intrusion Prevention System

Table of Contents