beautypg.com

Idp pattern matching – Amer Networks E5Web GUI User Manual

Page 474

background image

Evasion Attacks

An evasion attack has a similar end-result to the insertion Attack in that it also generates two
different data streams, one that the IDP subsystem sees and one that the target application sees,
but it is achieved in the reverse way. It consists of sending data packets that are rejected by the
IDP subsystem but are acceptable to the target application.

Detection Action

If an insertion or evasion attack is detected with the Insertion/Evasion Protect option enabled, cOS
Core automatically corrects the data stream by removing the extraneous data associated with
the attack.

Insertion/Evasion Log Events

The insertion/evasion attack subsystem in cOS Core can generate two types of log message:

An Attack Detected log message, indicating an attack has been identified and prevented.

An Unable to Detect log message when cOS Core has been unable to identify potential
attacks when reassembling a TCP/IP stream although such an attack may have been present.
This condition is caused by infrequent and unusually complex patterns of data in the stream.

Recommended Configuration

By default, insertion/evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:

Increasing throughput - Where the highest throughout possible is desirable, then turning
the option off, can provide a slight increase in processing speed.

Excessive False Positives - If there is evidence of an unusually high level of insertion/evasion
false positives then disabling the option may be prudent while the false positive causes are
investigated.

6.5.5. IDP Pattern Matching

Signatures

In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern, associated
with different types of attack. These predefined patterns, also known as signatures, are stored in a
local cOS Core database and are used by the IDP subsystem to analyze traffic for attack patterns.
Each IDP signature is designated by a unique number.

Consider the following simple attack example involving an exchange with an FTP server. A rogue
user might try to retrieve the password file "passwd" from an FTP server using the FTP command
RETR passwd. A signature looking for the ASCII text strings RETR and passwd would find a match
in this case, indicating a possible attack. In this example, the pattern is found in plaintext but
pattern matching is done in the same way on pure binary data.

Recognizing Unknown Threats

Chapter 6: Security Mechanisms

474

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: