Enterasys Intrusion Prevention System Manual page 229

Network sensor policies and signatures guide

Hide thumbs Also See for Intrusion Prevention System:

Reporting manual (122 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

page of 260

/ 260
Contents
Table of Contents
Bookmarks

Table of Contents

Table A-1 6.x to 7.0 Keyword Mapping (continued)

6.x Keyword

PROTECTED

PROTO

PSDISTRIB

PSPING

7.0 XML Attribute

NSC/SC/C/ProtectedNetwork

NSC/SC/C/NetworkLayer/LogProtocol

NSC/SC/C/ProbeDetection/distributed-host-per-port

NSC/SC/C/ProbeDetection/distributed-ports-per-host

NSC/SC/C/ProbeDetection/protocol-ping

Description

The Network Sensor needs to know about the

network it is running on to give meaning to the

packets it collects. "Deprecated" on page A-20

specifies a range of IP addresses that constitute

'the good guys' that the Network Sensor is

protecting. Based on source and destination IP

address, any packet can be classified as going

to, or leaving the protected network. Packets can

also be completely outside or inside the

protected network.

Technical Notes

•

Consider super classing CIDR blocks where

possible to increase the efficiency of the Network

Sensor.

•

Enterasys IPS allows for a maximum of 24

protected networks.

Used to log packets based solely on IP protocol.

Events of this type are named [PROTO].

Technical Notes

•

To set the protocol as a wildcard, use the value, 0.

•

The maximum number is 16.

Evaluates incoming traffic for distributed port

scans. This is accomplished by ignoring the

source IP address and source port while

applying the threshold of ports. Another

threshold of the number of source hosts must be

broken to produce an event. This is to prevent

this keyword from duplicating events of the

"NSC/SC/C/ProbeDetection/hosts-per-port" on

page A-34.

Technical Notes

This keyword can produce the events:

DISTRIB-TCPSCAN

DISTRIB-UDPSCAN

Enables the Enterasys IPS Sensor to generate

events when network topology scans are

detected. These scans are defined as one

external machine sending packets to multiple

protected network computers. These packets are

only evaluated for their source and destination IP

addresses. Other information such as protocol or

port number are disregarded for this keyword.

Requires one argument to specify the threshold

of internal machines that must receive packets

before alerting.

Technical Note

Produces NETWORK-DISCOVERY events.

Creating Network Sensor Policies and Signatures A-35

6.x to 7.x Mappings

Table of Contents

Need help?

Do you have a question about the Intrusion Prevention System and is the answer not in the manual?

Enterasys Intrusion Prevention System Manual page 229

Need help?

Related Manuals for Enterasys Intrusion Prevention System

Table of Contents