Table of Contents
Advertisement
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
FRAG0
7.0 XML Attribute
NSC/SC/C/NetworkLayer/small-frag-no-tcp-flags
Description
Configures the Network Sensor to decode any
TCP fragments with an IP fragment offset of
zero. Offsets of zero occur naturally on some
networks, but also occur when hackers want to
artificially create fragmented packets for Syn
scanning, bypassing of firewalls and other
activities. small-frag-no-tcp-flags tells the
Network Sensor to record any of these packets
and decode the source and destination port as
well as the TCP flags. Basically, when TCP traffic
is fragmented, this setting will attempt to log the
beginning of the fragmented packet for further
analysis. These events are labeled FRAG-TCP-
ZERO.
These packets are most probably part of a
number of web sessions and email sessions. If
we wanted, we could inspect the payload of this
packet, and the DYNAMIC packets recorded
after these events to get a better picture of the
meaning of these fragments.
The theory is that a hacker will discover a way to
maliciously bypass a network IDS using a new
fragmentation technique. Having a log of all TCP
traffic, which was fragmented, may be useful if
these techniques are effective against the
Network Sensor.
Technical Note
The fragment must contain enough information
in the packet to obtain the source port,
destination port and TCP flags.
Creating Network Sensor Policies and Signatures A-15
6.x to 7.x Mappings
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?