Enterasys Intrusion Prevention System Manual page 231

Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
RBLOG
REBUILD
7.0 XML Attribute
NSC/SC/C/Logging/ring-buffer
NSC/SC/C/TransportLayer/StreamRebuild/rebuild-
external
NSC/SC/C/TransportLayer/StreamRebuild/rebuild-from
NSC/SC/C/TransportLayer/StreamRebuild/rebuild-to
NSC/SC/C/TransportLayer/StreamRebuild/rebuild-
internal
NSC/SC/C/TransportLayer/StreamRebuild/rebuild-all
Description
Instructs the Enterasys IPS Sensor to write to a
shared memory ring buffer. This option is
required for the Enterasys IPS architecture.
Technical Note
This option requires the command line argument
'-f' and the local 'dragon.cfg' file. If the Enterasys
IPS Sensor is run without the dragonctl program,
then the Sensor itself will create the shared
memory.
Instructs the Network Sensor to reconstruct UDP
and TCP sessions. The value associated
indicates which traffic flows should be
reconstructed.
Valid values:
0Only Rebuild external traffic
1Only Rebuild outbound traffic
2Only Rebuild inbound traffic
3Only Rebuild internal traffic
4Rebuild inbound and internal traffic
5Rebuild outbound and internal traffic
6Rebuild all traffic
7Do not reconstruct any traffic
Consider a busy web server farm where we only
wish to analyze web traffic inbound to the farm,
but not outbound. The performance gain is
immense, but this makes Network Sensor blind
to outbound attacks from your protected
networks, which are spread across multiple
packets. Normally this is an acceptable risk, but it
is still a consideration.
If a UDP or TCP session is rebuilt and an event
occurs, that event will have a tcp-stream or udp-
stream message in its event message data. Of
these four Telnet Bad Login events, only one
occurred across multiple packets:
Technical Note
Typically, this setting is used as REBUILD 2.
Creating Network Sensor Policies and Signatures A-37
6.x to 7.x Mappings