Idp Signature Groups - D-Link NetDefend DFL-210 User Manual

6.5.6. IDP Signature Groups

Recognizing Unknown Threats
Attackers who build new intrusions often re-use older code. This means their new attacks can appear
"in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for
these reusable components, with pattern matching looking for building blocks rather than the entire
complete code patterns. This means that "known" threats as well as new, recently released,
"unknown" threats, built with re-used software components, can be protected against.
Signature Advisories
An advisory is a explanatory textual description of a signature. Reading a signature's advisory will
explain to the administrator what the signature will search for. Due to the changing nature of the
signature database, advisories are not included in D-Link documentation but instead, are available
on the D-Link website at:
http://security.dlink.com.tw
Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu.
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
• Intrusion Protection Signatures (IPS) - These are highly accurate and a match is almost
certainly an indicator of a threat. Using the Protect action is recommended. These signatures
can detect administrative actions and security scanners.
• Intrusion Detection Signatures (IDS) - These can detect events that may be intrusions- They
have lower accuracy than IPS and may give some false positives so that's recommended that the
Audit action is initially used before deciding to use Protect.
• Policy Signatures - These detect different types of application traffic. They can be used to block
certain applications such as file sharing applications and instant messaging.
6.5.6. IDP Signature Groups
Using Groups
Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at
the same time when analyzing network traffic. To do this, signatures related to a particular protocol
are grouped together. For example, all signatures that refer to the FTP protocol form a group. It is
best to specify a group that relates to the traffic being searched than be concerned about individual
signatures. For performance purposes, the aim should be to have NetDefendOS search data using the
least possible number of signatures.
Specifying Signature Groups
IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is
the signature Type, the second level the Category and the third level the Sub-Category. The
signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type,
DB is the Category and MSSQL is the Sub-Category. These 3 signature components are explained
below:
1. Signature Group Type
The group type is one of the values IDS, IPS or Policy. These types are explained above.
270
Chapter 6. Security Mechanisms