Enterasys Intrusion Prevention System Manual page 235

Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
RPCCONVERT_VERB
OSE
RPC_ANYPORT
SAMEIP
7.0 XML Attribute
NSC/SC/C/RPCAnalysis/verbose
NSC/SC/C/RPCAnalysis/any-port
NSC/SC/C/NetworkLayer/same-address
Description
The same decodes as "NSC/SC/C/RPCAnalysis"
on page A-40, except that it logs events when
certain evasions occur. The current events are:
[RPC:NOOP-ATTACK]
[RPC:PROTOCOL-EVASION]
Technical Notes
• For details on how these evasions work, refer to the
"NSC/SC/C/RPCAnalysis" on page A-2, or the
Enterasys whitepaper written by Randy Taylor at:
https://dragon.enterasys.com/wp/
RPC_Evasion.pdf
• This feature requires "NSC/SC/C/RPCAnalysis" on
page A-40.
Instructs the Network Sensor to attempt an RPC
decode of every packet it sees, regardless of
destination port. This variable should be used
only when your specific Network Sensor
implementation has spare CPU cycles. This rule
helps find intruders who are trying to go directly
to various RPC ports without conveying with the
portmapper service first. The Network Sensor is
smart enough to ignore traffic to destination ports
below 100 and equal to port 443, but it still
places an additional load on the system.
This feature requires NSC/SC/C/RPCAnalysis.
SAMEIP is a switch that records packets that
have the same source and destination IP
addresses. This could be an attack, a NAT
problem, or a wide variety of other issues.
Regardless, these events are interesting and
recorded. For Ethernet sensors, the data portion
of these events also includes the hardware
address for further analysis. These events are
labeled [SAME-IP]. Most commonly, these
events occur with poorly configured routers and
multicast protocols. Keep in mind that denial of
service attacks do not need to reply back to their
source address, but most attacks do.
Creating Network Sensor Policies and Signatures A-41
6.x to 7.x Mappings