Enterasys Intrusion Prevention System Manual page 65

9. Selecting Log Localhost Traffic tells the sensor to log any packet with a source or destination
address to or from 127.0.0.0/8. This address space is reserved. A variety of attacks choose their
source addresses from this block. This option is selected by default.
Application Note for Ethernet Only:
address is recorded for these packets for further analysis. Keep in mind that if a hacker has
local layer 2 network access, they can spoof the source hardware address. However, if the
attacker is remote, the hardware address can tell you where the attack is coming from on your
network.
There is also a good chance that these events result from incorrectly configured routers. In this
case, the hardware address is also useful in debugging these problems.
Many tools that use IP source address spoofing that choose from the range of 0.0.0.0 to
255.255.255.255 have a one in 256 chance of choosing an address in the 127.0.0.0/8 range. Tools
like NMAP have this problem when they spoof decoy packets.
10. Selecting Log Same Source and Destination Address or Log Null Source or Destination
Address tells the sensor to log packets with the same address as both source and destination
and to log packets with a null value for source or destination address. These options are
selected by default.
These types of packets could be an attack, a NAT problem, or a wide variety of other issues.
Regardless, these events are interesting and recorded. For Ethernet sensors, the data portion
of these events also includes the hardware address for further analysis. Most commonly, these
events occur with poorly configured routers and multicast protocols. Keep in mind that denial
of service attacks do not need to reply back to their source address, but most attacks do.
11. When you select Log Checksum Events, you also must enter a Checksum Verification
Frequency. Selecting this option tells the sensor to validate the IP checksums of packets that
are directed at the protected network. The frequency value indicates how often this test
should be carried out. For example, a value of 5 indicates that the test should be carried out
every 5th packet. This option is not selected by default.
Purposely crafted IP packets with bad checksums can fool packet-based IDS devices into
accepting packets that a destination host would reject. Although the frequency value provides
a statistical sampling technique designed to balance performance with IP checksum
verification, in many cases, this option should not be enabled.
Modern routers drop any IP packets that do not have the correct checksums. In an Internet
environment, it is very difficult for an attacker to send corrupted IP packets unless they are
one hop away from the Network Sensor. This prevents Internet attackers from using this
technique. However, insiders and attackers who have an intimate knowledge of your
topology could exploit this. All of these factors (including the impact on performance) should
be weighed when enabling or disabling this feature.
Because these packets are probably spoofed, the hardware
Creating Network Sensor Policies and Signatures 2-35
Configuring the Network Layer Module