Enterasys Intrusion Prevention System Manual page 201

Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
DNSCONVERT_VERB
OSE
DOSCHECK
7.0 XML Attribute
NSC/SC/C/DNSAnalysis/verbose
NSC/SC/C/DoSCheck
Description
Does the same decodes as
NSC/SC/C/DNSAnalysis, except that it logs
events when certain evasions occur. The current
event is: DNS:QUERY-EVADE
Technical Note
For details on how this evasion works, refer to
the NSC/SC/C/DNSAnalysis/,
For in-depth examples, please read the white
paper on DNS IDS evasion. The paper is located
at:
https://dragon.enterasys.com/wp/
DNS_Evasion.pdf
The Network Sensor searches packets for
distinct trademarks of specific denial of service
tools that are in use and freely available. The
following is the list of Enterasys IPS Events that
are created by this keyword, and the associated
tool(s) that trigger them.
Event Name and DoS Tool
• DOS-JOLT: jolt
• DOS-MODEM: ath0, mdmrst
• DOS-BONK: bonk
• DOS-TEARDROP: teardrop, overdrop, syndrop
• DOS-LAND: land, laterria
• DOS-TARGA: targa(winnuke)
• DOS-WINNUKE: winnuke
• DOS-JOLT2: jolt2
• DOS-1234: 1234
• DOS-NESTEA: nestea, nestea2
• DOS-OSHARE: oshare
• DOS-SAIHYOUSEN: saihyousen
Creating Network Sensor Policies and Signatures A-7
6.x to 7.x Mappings