Table of Contents
Advertisement
–
–
•
The Stream Rebuilding tab settings tell the Network Sensor which traffic flows should be
reconstructed. You can reconstruct UDP and TCP sessions for all types of traffic.
•
The Flags tab allows you to configure the sensor to look for a variety of unusual TCP flag
combinations in order to detect a variety of TCP flag probes (for example, Fin-Syn scanning,
remote OS detection). The Flags tab provides pre-configured combinations, and you can also
configure your own flag combinations.
•
You can use the Log Syn tab to configure rules that tell the sensor whether to log or ignore
SYN packets (initial TCP session requests) to specific destination IP addresses or networks,
and destination ports.
•
The Log Session tab allows you to configure rules to tell the Network Sensor to log or ignore
specific network sessions such as Telnet or FTP, based on the IP address of interest, and the
target UDP or TCP ports.
•
The Log Start Stop tab settings tell the sensor to log or ignore TCP session starts and stops.
You can also dynamically define the number of additional packets to log when these alerts
start.
•
The Log Destination tab can be used to tell the sensor to log or ignore traffic attempting to
reach nonexistent hosts on the protected network. This type of activity could indicate a probe
or an incorrect service configuration.
•
The Log Server tab settings help find illegal TCP services by looking for SYN-ACK packets
coming from protected hosts. You can also dynamically define the number of additional
packets to log when these alerts start.
•
To search all TCP Syn packets for a specific pattern, use the Log SYNPattern tab to create rules
that specify a list of event names and data patterns to look for in each SYN packet that has a
data payload.
Network Sensor Signatures
The Network Sensor has a powerful signature recognition engine that can quickly process a
packet or network session for suspicious data strings in the data portion of packets. These
suspicious data strings are defined in signatures, which are stored and read each time the
Network Sensor is started.
When a signature data pattern is matched, the Network Sensor can drop the packet, send a
transport layer error packet (a TCP reset for TCP connections or an ICMP port unreachable
message for UDP traffic), and/or instantiate a persistent firewall blocking rule, in addition to
generating an event.
Enterasys IPS ships with a comprehensive set of vulnerability and exploit-based signatures, and
Enterasys continually provides signature updates with the Dragon Live Update feature. (Refer to
the discussion of Live Update in the Configuration Guide for more information.)
The predefined signatures are organized in Master Libraries, which can be viewed from the
Signature Libraries tab in the Network Policy View, as shown in
You can assign Master Libraries directly to a virtual Network Sensor, or you can create your own
custom signatures and signature libraries and assign them to a sensor, as described in
Creating Network Sensor
Look for any packet that has a zero length TCP option or a post EOL TCP option and
generate an event when such packets are identified.
Identify SYN attacks and generate an event.
Signatures.
Figure 1-3
on page 1-10.
Creating Network Sensor Policies and Signatures 1-9
Network Sensor Signatures
Chapter
3,
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?