Enterasys Intrusion Prevention System Manual page 79

6. Specify the Sliding window length in seconds value, which is a limit value for the probe
engine buffer. This option tells the Network Sensor how long (in seconds) it will collect unique
network packets or events before evaluating the entire collection for sweeps and scans.
Packets are collected for unique protocol, destination service, source IP address, and
destination IP address values. For example, if IP #1 sent an ICMP echo request to IP #2, this
packet would be collected. Subsequent echo requests from IP #1 to IP #2 would not be
collected because they are not new traffic. Likewise, if IP #1 visited IP #2's web server on port
80, the first packet would be collected but all other port 80 traffic between them would not.
Once the Sliding window length value is reached, the Network Sensor conducts an analysis
of the data collected during the specified time period. After that, the probe engine buffer is
flushed. The maximum number of seconds is 1209600 (two weeks).
Adjusting this parameter changes the "sensitivity" of the Probe Detection module. To detect
slow port scans, this value should be set to a longer duration. However, a longer duration
could allow an overwhelming amount of data to accumulate, which could lower Network
Sensor performance.
Note: Each conversation (TCP, UDP, ICMP) contains two flows (for example, two distinct source
and destination pairs).
7. Specify the PROTOCOL-SCAN Event Threshold in the Unique protocols needed per host
field. When the number of different protocols used by an external host to probe a computer on
the protected network exceeds the protocol scan event threshold, a [PROTOCOL-SCAN]
event is generated.
8. Specify the UDP-SCAN/TCP-SCAN Event Threshold in the Unique ports needed per host
field. This value specifies the maximum number of destination ports that must be accessed per
destination host before the network sensor determines that the destination host has been
scanned and generates a [UDP-SCAN] or [TCP-SCAN] event.
This option attempts to find patterns of network traffic between two IP addresses that involve
many different ports. For example, if IP #1 sends traffic to IP #2 on ports 21, 25, 53, and 80, this
could count as four ports. If this number exceeds the maximum number of Unique ports
needed per host, a port scan is reported from IP #1 to IP #2.
Refer to the description of Sliding Window Length in seconds above for more information
about packet collection for analysis using this option value.
9. Specify the UDP-SWEEP/TCP-SWEEP Event Threshold in the Unique hosts needed per port
field. This field specifies the maximum number of destination hosts that can be accessed on a
specific port before the network sensor determines that these hosts have been swept and
generates a [TCP-SWEEP] or [UDP-SWEEP] event.
This option attempts to discover sweeps for single ports to many IP addresses. For example, if
IP #1 attempts to access email (port 25) on IP #2, #3, #4 and #5, this counts as four events that
may be evaluated as a sweep. If this number exceeds the maximum value of Unique hosts
needed per port, a port sweep is reported from the originating IP. For network sweeps, ICMP
netmask, timestamp and echo requests are also considered.
Refer to the description of Sliding window length in seconds above for more information
about packet collection for analysis using this option value.
Configuring the Probe Detection Module
Creating Network Sensor Policies and Signatures 2-49