Table of Contents
Advertisement
Configuring the Network Layer Module
Log Broadcast Tab
The Network Sensor can be configured to watch for packets with strange broadcast destination
addresses. These packets are most likely denial of service attacks, network probes, or
malfunctioning routers. The Network Sensor ignores internal broadcast traffic and concentrates
on traffic from non-protected networks. Target addresses that end in .255 or .0 are common hacker
probe values.
A Log Broadcast rule has two arguments. The first argument is the protocol and the second
argument is the destination IP address. The destination address should be a normal IP address
without any network bit mask. Events of this type are named [BROADCAST].
Refer to
wildcard for any protocol.
Procedure
To configure the Network Sensor to log packets based on broadcast address:
1.
Click the Network Policy View icon and the Network Policies tab.
2.
Expand the tree by clicking the expansion symbols and select the desired custom policy name.
The modules for that policy are displayed in the tree.
3.
Click the Network Layer Module in the tree.
4.
Click the Log Broadcast tab.
5.
Click Add to invoke the settings window.
6.
Select the protocol from the Protocol drop-down list or you can enter the protocol's numeric
value. Refer to
wildcard for any protocol.
2-46 Creating Network Sensor Policies
Table 2-2
on page 2-11 for a list of common protocols and their numbers. Use a 0 as a
Table 2-2
on page 2-11 for a list of common protocol values. Use a 0 as a
Note: The protocol is displayed numerically in the Log Broadcast tab's Protocol column.
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?