beautypg.com

Meta.rules, Segmentation evasion rules, Selecting yes is recommended when using snort – Force10 Networks PSeries 100-00055-01 User Manual

Page 59

background image

P-Series Installation and Operation Guide, version 2.3.1.2

59

Figure 36

Channel 1 Dynamic rules
Please choose how many dynamic rules (5-20 recommended)
Dynamic rules are rules that can be added without recompiling
the firmware. They can be added at runtime through the UI
Dynamic rules only work for Ipv4 traffic for now
1) 0 5) 20 9) 60 13) 100 17) 180 21) 260 25) 340
2) 2 6) 30 10) 70 14) 120 18) 200 22) 280 26) 360
3) 5 7) 40 11) 80 15) 140 19) 220 23) 300 27) 380
4) 10 8) 50 12) 90 16) 160 20) 240 24) 320 28) 400
#? 5

Do you want to include the default meta rules?
alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;)
alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)
alert tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2; C:32;)
alert udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64; R:2; C:64;)
alert tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;)
alert tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;)
alert tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;)
alert tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;)
alert tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)
1) Yes
2) No
#? 1

Do you want to include the segmentation evasion rules?
alert tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)
alert tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 10 = state 1"; dsize: 0 <> 20; S:4; R:1; C:8;)
alert tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 10 = capture flow"; dsize: 0 <> 20; S:8; R:1;
C:16;)
alert tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 10"; dsize: 0 <> 100; S:16; R:2; C:17;)
1) Yes
2) No
#? 1

Selecting Yes is recommended
when using Snort

Selecting Yes is recommended
when using Snort

pnic-Compiler Option 6-7

See also other documents in the category Force10 Networks Hardware: