Table of Contents
Advertisement
Configuring the Transport Layer Module
Log Syn Pattern Tab
Some suspicious network activities, such as TFN 2000, send data in TCP Syn packets. It is perfectly
legal for TCP sessions to send data in Syn and Syn-Ack packets, but it rarely occurs. To search all
TCP Syn packets for a specific pattern, use the Log Syn Pattern tab to create rules that specify a list
of event names and data patterns to look for in each Syn packet that has a data payload. Data
patterns are specified the same way as in the Header Search Module (see
Strings" on page 2-29) except there are no wild cards or other complex rules. If the pattern
matches, an event occurs with the event name you have specified.
Procedure
To configure Log Syn Pattern settings:
1.
Click the Network Policy View icon and the Network Policies tab.
2.
Expand the tree by clicking the expansion symbols and select the custom policy name.
The modules for that policy are displayed in the tree.
3.
Click the Transport Layer Module in the tree.
4.
Click the Log Syn Pattern tab.
5.
Click Add to add a new rule. The Transport Layer Log Syn Pattern dialog box is displayed.
6.
In the Event Name field, specify the name of the event that should be generated when this Log
Syn Pattern rule is matched. You can specify any name you want for this event. The name can
be any combination of characters, excluding spaces, up to a maximum of 63 characters.
Or, click the Browse button and select an event in the Event Chooser window.
7.
In the Pattern field, specify the pattern, or search string, to be matched. Refer to
Search
8.
Click OK. The values are displayed in the table.
2-108 Creating Network Sensor Policies
Strings" on page 2-29 for information about how to create a search string.
"Specifying Search
"Specifying
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?