Table of Contents
Advertisement
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
DESTINATION
DEVICE
7.0 XML Attribute
NSC/SC/C/TransportLayer/LogDestination
NSC/Device/Interface/Name
Description
The Network Sensor has the ability to create
virtual honeypots, which look for traffic
attempting to reach nonexistent hosts. The
assumption is that remote network probes will
not know the topology of the target network and
will attempt to talk to services, which are not
present. For example, if there is only one DNS
server, it may be worth having the Network
Sensor watch for network traffic attempting to
talk to the DNS port on other local machines.
This activity example could indicate a probe or
an incorrect DNS configuration.
This attribute has four arguments. The first
argument is the typical ignore or log setting
specified by I or L. Next is the network CIDR
block or IP address declaration. Third is the IP
protocol, which is 6 for TCP, 17 for UDP or 0 for
both UDP and TCP. The fourth argument is the
destination port and does not have any
wildcards. Events of this type are named
[Destination].
Technical Note
The maximum Destination rules allowed is 26.
Specifies which device the Network Sensor will
use to gather packets. The device name is the
same as shown by the ifconfig command, such
as eth0. Network Sensor does not attempt to
discover network interfaces. Interfaces without
IP stacks can be used for monitoring, but they
must have access to packets. This means they
must be in a collision domain, on a tapped
network node, or on the spanned port of a
switch. The name of the network device is a
required argument to the Name declaration.
Technical Note
This interface will also be utilized for all active
responses.
Creating Network Sensor Policies and Signatures A-5
6.x to 7.x Mappings
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?