Enterasys Intrusion Prevention System Manual page 208

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
FRAG
FRAG_REBUILD
A-14 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/NetworkLayer/LogFrag
NSC/SC/C/NetworkLayer/frag-rebuild
Description
Network Sensor can watch for any fragmented
packets and log them. On most networks,
fragments do not occur a majority of the time.
When they do happen, they are usually small in
number and due to a poorly performing network
or the result of hacker traffic. Fragments can be
used to conduct network scanning and cause
denial of service attacks, among other things.
Each rule is made up of three arguments, which
are a log rule, an IP address and an IP protocol.
Log rules are either an L to log an event or an I to
ignore it.
IP addresses can specify a single IP address or
an IP address with a network bit mask.
Protocols, such as 6 for TCP, are specified
numerically. A value of zero for the protocol acts
as a wildcard and logs fragmented packets
regardless of IP protocol. Events of this type are
named [FRAG].
Technical Note
The maximum number of LogFrag rules is 16.
The Network Sensor attempts to rebuild all IP
fragments that are traveling to the protected
network. For performance reasons, the Network
Sensor does not attempt to reassemble
fragments from
"NSC/SC/C/ProtectedNetwork" on page A-35 IP
addresses. Fragments are reassembled when
the total amount of data is equal to the packet
length determined by the fragment without the
more fragments bit set. When a pseudo-packet
is rebuilt, it is injected into the Network Sensor
packet processing engine for evaluation. If an
event occurs with this packet, an extra event is
also generated indicating that the packet was
reconstructed. For packet analysis, these
pseudo-packets have an IP checksum of zero, a
TTL of 255 and an ID value of 0xffff. If an event
occurred and was rebuilt from IP fragments, it
will also include an event name of [FRAG-
REBUILD] and message data of (this-event-
was-reconstructed).