Configuring The Network Layer Module - Enterasys Intrusion Prevention System Manual

For example, if you enabled repeat tracking for source IP with a repeat threshold of 3, and
many identical events were generated consecutively from the same source IP, only 3 of the
events would be logged. As soon as a different event occurred after the threshold was met, a
final event would be logged that reported the number of unlogged events, as shown in the
following log example. In this case, 9 additional repeat events were not logged.
11:24:49
(tcp,sp=22,dp=36991) sensor1
11:24:52
(tcp,sp=22,dp=36992) sensor1
11:24:52
(tcp,sp=22,dp=36993) sensor1
11:25:23
(tcp,sp=22,dp=36992,repeat=9) sensor1
11:25:23
(tcp,sp=37011,dp=80) sensor1
This option enhances performance by not logging similar events. It is very useful to prevent a
network error, such as a bad router causing low TTL events, from filling up the Network
Sensor logs.
A common setting for Repeat Threshold is between 100 and 500.
11. Click Commit to add your changes to the policy being configured.

Configuring the Network Layer Module

The Network Layer Module is one of the default and required modules that must be included in a
Network Sensor policy. This module defines what IP packet header fields the Network Sensor
should analyze and what actions the sensor should take when it finds certain anomalous values in
those fields.
The Network Layer Module has six tabs, described in the following sections.
For information about...
General Settings Tab
Log Option Tab
Log Protocol Tab
Log Frag Tab
Log Static Tab
Log Broadcast Tab
[F] 10.100.100.53
[F] 10.100.100.53
[F] 10.100.100.53
[F] 10.100.100.53
[T] 134.141.133.174 10.100.100.53
134.141.133.174 [SSH:VERSION-1]
134.141.133.174 [SSH:VERSION-1]
134.141.133.174 [SSH:VERSION-1]
134.141.133.174 [SSH:VERSION-1]
[WEB:NETSCAPE]
Creating Network Sensor Policies and Signatures 2-33

Configuring the Network Layer Module

Refer to page...
2-34
2-39
2-41
2-42
2-44
2-46