Table of Contents
Advertisement
Example
The following example shows six rules. The first four tell the sensor to ignore all SMTP (port 25),
DNS (port 53), Web (port 80), and SSL (port 443) traffic. The fifth rule says to ignore all traffic
coming to/from 10.100.100.10/32. The last rule tells the sensor to log everything else and to
include, at most, the next 50 packets.
Log Destination Tab
The Network Sensor has the ability to create virtual honeypots, which look for traffic attempting
to reach nonexistent hosts. The assumption is that remote network probes will not know the
topology of the target network and will attempt to talk to services which are not present. For
example, if there is only one DNS server, it may be worth having the Network Sensor watch for
network traffic attempting to talk to the DNS port on other local machines. This type of activity
could indicate a probe or an incorrect DNS configuration.
Events of this type are named [DESTINATION].
Procedure
To configure Log Destination settings:
1.
Click the Network Policy View icon and the Network Policies tab.
2.
Expand the tree by clicking the expansion symbols and select the custom policy name.
The modules for that policy are displayed in the tree.
3.
Click the Transport Layer Module in the tree.
4.
Click the Log Destination tab.
Configuring the Transport Layer Module
Creating Network Sensor Policies and Signatures 2-103
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?