Table of Contents
Advertisement
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
STATIC
SYN
7.0 XML Attribute
NSC/SC/C/NetworkLayer/LogStatic
NSC/SC/C/TransportLayer/LogSyn
Description
Used to log all packets from a particular network
or IP address. This attribute must be followed by
a list of IP addresses or CIDR mask and a
unique name to be associated with the static
rule. When traffic occurs matching these rules,
an event is generated with the name specified. In
the example below, events [SUSPECT] and
[NETWORK1] would occur if this rule were
applied. Events logged by this keyword decode
IP protocol, source and destination port for UDP
and TCP as well as additional information such
as TCP flags.
Technical Note
The maximum number of rules is 20.
The Network Sensor has the ability to log initial
TCP session requests, also known as Syn
packets.
There are three arguments to every Syn rule.
These are the log rule, the IP address, and
destination port. Log rules are either L to log the
Syn packet or I to ignore it. The IP address can
be a normal IP address or it can also include a
network bit-mask. The third argument specifies
the destination port to log. Use a zero to log Syn
packets to all ports.
This rule can also help find off-service pokes on
busy servers. Simply ignore traffic to the
particular server(s) and log everything else.
Events of this type are logged with the [SYN]
name.
Creating Network Sensor Policies and Signatures A-49
6.x to 7.x Mappings
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?