Table of Contents
Advertisement
9.
Click Edit or Delete to change or delete existing rules.
10. Click Commit to add your changes to the policy being configured.
Example
The first rule causes an [EXAMPLE] event to be generated when "example" is matched. The
second rule causes an [EXAMPLE2] event to be generated when "////" is matched. The third rule
causes a [TFN2K:TCP] event to be generated when the sensor detects TFN 2000 base 64 encoding.
Log Pairs Tab
There are a variety of attacks that combine specific source and destination ports to succeed. Some
of these attacks are attempts to bypass network security devices and others are denial of service in
nature. The Network Sensor can be configured to look for specific pairs of packets using the Log
Pairs tab.
It is a good practice to use this feature when filtering out certain traffic from port scans. For
example, many people configure the Network Sensor to not look for port scans in web or DNS
traffic. Putting some key port pairs in here would still detect source ported port scans.
Procedure
To configure Log Pairs settings:
1.
Click the Network Policy View icon and the Network Policies tab.
2.
Expand the tree by clicking the expansion symbols and select the desired custom policy name.
The modules for that policy are displayed in the tree.
3.
Click the Transport Layer Module in the tree.
4.
Click the Log Pairs tab.
Configuring the Transport Layer Module
Creating Network Sensor Policies and Signatures 2-109
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?