Force10 Networks PSeries 100-00055-01 Instrukcja Użytkownika Pobierz pdf (Strona 123)

P-Series Installation and Operation Guide, version 2.3.1.2 123

The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Table 29 and

Table 30.

Appendix C Meta and Evasion Rules

Table 29 meta Rules for Channel 0 and Channel 1

meta Rules

alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;)

alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)

alert tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2;

C:32;)

alert udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64;

R:2; C:64;)

alert tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;)

alert tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;)

alert tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;)

alert tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;)

alert tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)

Table 30 Evasion Rules for Channel 0 and Channel 1

Evasion Rules

alert tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)

alert tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 10 = state 1"; dsize: 0 <> 20; S:4;

R:1; C:8;)

alert tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 10 = capture flow"; dsize: 0

<> 20; S:8; R:1; C:16;)

alert tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 10"; dsize: 0 <> 100;

S:16; R:2; C:17;)

1 2 ... 118 119 120 121 122 123 124 125 126 127 128 ... 131 132

Brak uwag

Force10 Networks PSeries 100-00055-01 Instrukcja Użytkownika Strona 123