Table of Contents
Advertisement
10. To add a Port Macro to the port list, click Add PortMacro. The Port Macro Selection dialog
box is displayed. Select the desired macro and click OK.
Note: To display existing port macros and their definitions, or to add a new macro, click Default
Network Sensor Settings in the Network Policies tab of the Network Policy View. See
"Configuring Port
11. Click Commit to add your changes to the policy being configured.
SNMP Analysis Configuration
The SNMP analysis feature provides quick SNMP protocol decodes. The evasion consists of
obscuring the Object Identifier in an SNMP packet. Many signature-based IDSs rely on the Object
Identifier to detect an attack, so this evasion is important if a user is running many SNMP
signatures on a Network Sensor.
For example, using the Windows LanManager Object Identifier, 1.3.6.1.4.1.77, a Network Sensor
signature matches this Object Identifier, but if the SNMP evasion technique is used, the
LanManager Object Identifier becomes 1.3.06.01.04.01.077 and would successfully evade the IDS.
With SNMP Analysis, the obscured LanManager Object Identifier gets converted back into
1.3.6.1.4.1.77 and correct detection occurs.
Procedure
To configure SNMP Analysis settings:
1.
Click the Network Policy View icon and the Network Policies tab.
2.
Expand the tree by clicking the expansion symbols and select the desired custom policy name.
The modules for that policy are displayed in the tree.
3.
Click the Protocol Analysis Module in the tree.
Macros" on page 1-14 for information about creating or editing port macros.
Configuring the Protocol Analysis Module
Creating Network Sensor Policies and Signatures 2-83
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?