Enterasys Intrusion Prevention System Manual page 252

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
VLAN_802_1Q
WEB_ANALYSIS_MET
HOD
WEBCONVERT
A-58 Keywords/XML Attributes
7.0 XML Attribute
Deprecated
NSC/SC/C/HTTPAnalysis/AllowedMethod/method
NSC/SC/C/HTTPAnalysis
Description
For the Network Sensor to correctly collect
packets on an 802.1q segment, this option must
be enabled. Packets conforming to 802.1q have
an additional 4 bytes that need to be excluded to
get to the IP header.
Technical Note
The 802.1q header is structured as follows:
Bytes Description
6 Destination Ethernet Address
6 Source Ethernet Address
2 Protocol Field (0x8100 for 802.1q)
2 VLAN specific information
2 Embedded protocol field (0x0800 for IP)
-----
18 Total
The HyperText Transfer Protocol (HTTP)
specifies that requests can be made using the
following template:
METHOD URI HTTP-VERSION
This keyword allows selected RFC 2616 (HTTP
1.1) methods to be labeled as acceptable for use
on web servers located on the protected
network. Standard methods not included in this
list will cause a [WEB:UNAUTH-METHOD] alert
to be generated.
Technical Notes
RFC 2616 specifies the following request
methods:
• CONNECT
• DELETE
• GET
• HEAD
• OPTIONS
• POST
• PUT
• TRACE
This setting simulates a web server when
analyzing web traffic. Complex rules used to
identify web traffic are described with a
destination or source port of W. The Network
Sensor signatures that are string-based (not an
exact binary match) are run through the
HTTPAnalysis filter before having their
signatures matched. HTTPAnalysis protects the
Network Sensor's integrity by performing several
transforms on the collected data that can be
used to confuse the Network Sensor. A short
description of the web-based anti-ids attacks that
do not work on Network Sensor are listed below: