Table of Contents
Advertisement
6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
TCP_ECM
(continued from previous page)
TCP_STATE
A-54 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/TCPState
Description
The Network Sensor will send four different
random responses to the target server. Each
packet will have the correct source port and IP
address reversed. The hardware source and
destination addresses will also be reversed.
This behavior may be used by hackers to identify
the existence of the Network Sensor. Normally,
the Network Sensor is completely passive, but
this features is a double-edged sword. Hackers
may also spoof scans from places like
www.whitehouse.gov and cause the Network
Sensor to send these random packets back to
them - USE WITH CAUTION!
The TCP_ECM packets are generated only if the
packets are to a "NSC/SC/C/ProtectedNetwork"
on page A-35 network. It will not work for
outbound, external, or internal packets. Also, the
Network Sensor generates no events, which
record the occurrence of the TCP_ECM events.
Technical Note
This feature is only available on Ethernet
sensors.
Used to reduce the effectiveness of IDS Denial
of Service tools such as stick and snot.
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?