Enterasys Intrusion Prevention System Manual page 67

16. Specifying a Log <= TTL Value tells the sensor to log any packet with an IP time-to-live value
less than or equal to the specified value. The default value is 0. A common value for the TTL
value is 5. The maximum value is 10.
The intent of this option is to record traceroute packets as well as attempts to bypass intrusion
detection systems with small TTL settings. When packets are logged, the protocol and ports
are recorded.
The Network Sensor will report a [LOWTTL-UDP] or a [LOWTTL-TCP] event if the packet is
UDP or TCP, less than the TTL value, and the destination port is less than 1024. This is to
differentiate possible traceroute attempts to ports above 1024 with events names such as
[TRACE-TCP] and [TRACE-UDP]. ICMP-based traceroute events are labeled [TRACE-ICMP].
Finally, unknown low TTL packets that are not UDP, TCP or ICMP are labeled
[LOWTTL-UNKNOWN].
17. Specifying a value for Drop Packets with minimum TTL causes the Network Sensor to drop
packets that destination machines may never receive, rather than try to reassemble them. If a
Network Sensor is n hops in front of a protected network, the Network Sensor should ignore
all packets with a TTL of n-1.
Topology can be used against packet-based IDS products. IP packets with low TTLs may not
make it to their destination. If the Network Sensor is not aware of these topology constraints,
it might attempt to reassemble packets that destination machines never even see.
18. When Enable Fragment Rebuild is selected, the Network Sensor attempts to rebuild all IP
fragments that are traveling to the protected network. For performance reasons, the Network
Sensor does not attempt to reassemble fragments from the protected network.
Fragments are reassembled when the total amount of data is equal to the packet length
determined by the fragment without the more fragments (MF) bit set. When a pseudo-packet
is rebuilt, it is injected into the Network Sensor packet processing engine for evaluation. If an
event occurs with this packet, an extra event is also generated indicating that the packet was
reconstructed. For packet analysis, these pseudo-packets have an IP checksum of zero, a TTL
of 255 and an ID value of 0xffff. If an event occurred and was rebuilt from IP fragments, it will
also include an event name of [FRAG-REBUILD] and message data of
(this-event-was-reconstructed).
19. When Enable Large Fragment is selected, the Network Sensor alerts on any fragment offset
larger than a fixed value of 565. Since fragment offsets are measured in units of 8 bytes, an
event is generated for any fragment whose initial position in the original packet is larger than
4520 bytes. The value is currently set to be larger than a fragmented packet from an FDDI
network.
20. The Fragment Rebuild Size determines the size of the data structure the Network Sensor
devotes to the reassembly of packets that have been fragmented at the network layer. The
values you can choose are:
– very-low — 503 bytes
– low — 1009 bytes (default)
– medium — 2003 bytes
– high — 3301 bytes
– very-high — 6007 bytes
– maximum — 10,007 bytes
Configuring the Network Layer Module
Creating Network Sensor Policies and Signatures 2-37