Enterasys Intrusion Prevention System Manual page 123

7. Click the Advanced Settings tab.
8. If you want an event logged when TCP Checksum Verification discovers a discrepancy, check
the Log TCP Checksum Events checkbox. The event name is [BAD-TCP-CKSUM].
9. The Check for Non-Zero SYN bytes option tells sensor to analyze all of the data in captured
SYN packets for non-zero bytes. Most operating systems that pad SYN packets with a small
payload of data, do it with zeros. This alert indicates that a SYN packet was received that
contains a non-zero event. There is a very high false positive rate with this event. These events
are labeled [SYN-DATA-NZ], but includes a non-zero data element in the event message data.
10. Selecting the Trust option Selecting tells the sensor not to check for TCP sequence and
acknowledgement numbers, including checks on the sequence number in RST packets
attempting to shut down TCP connections. Enterasys recommends that you leave this option
disabled.
11. The Check for Zero Length TCP Options parameter tells the sensor to look for any packet
that has a zero length TCP option or a post EOL TCP option. The events generated by this
option are labeled [TCP-OPTS].
There are a lot of poor IP stacks out there that do not conform to the standards. There is a large
set of normal traffic that has poor TCP option implementations and this setting may produce
false positives. However, tools such as NMAP make extensive use of TCP options for remote
operating system identification. Some denial of service attacks against Windows platforms
also use TCP options.
12. Selecting the Enable Debugging parameter will cause the sensor to write transport layer
debugging messages to the sensor log, if the global debug attribute is also enabled. Do not
enable this parameter unless requested to by Enterasys Technical Support.
13. Select Enable Transport Layer Analysis to enable this module. This parameter is selected by
default.
Configuring the Transport Layer Module
Creating Network Sensor Policies and Signatures 2-93