Technical Documentation

Downloads
Modifying the IDP Device Configuration

Related Topics
NSM Device Configuration Management Task Summary

Modifying the IDP Device Configuration

You do not need to modify the IDP device configuration to get started with your IDP deployment. As you learn how the IDP device performs in your network, you can use Network and Security Manager (NSM) to modify the IDP device properties described in this section to optimize performance and reduce false positives.

This section includes the following topics:

Modifying NSM Informational Properties

NSM informational properties are management object parameters you created when you added the device to the NSM Device Manager, as well as inventory data, including the installed software and firmware versions. Figure 1 shows the Info page, where you can modify these properties.

Figure 1: NSM Device Configuration Editor: Info Page

Image s036709.gif

To modify NSM informational properties:

In NSM Device Manager, double-click the IDP device you want to modify to display the device configuration editor, which opens by default to the Info page.
Configure the informational settings described in Table 1.
Click Apply.
Click OK.

Table 1: IDP Device Configuration: Info Settings

Setting	Description
Name	The name of the IDP device in NSM. Editable.
Color	The color of the IDP device icon in NSM. Selectable.
Platform	The IDP device hardware model number.
Managed OS Version	The major OS version.
Running OS Version	The precise OS version installed on the device.
IP Address	The IDP device management port IP address. Note: Can only be changed with ACM.
Serial Number	The product serial number.
IDP Detector Version	The version of the IDP detector engine installed on the device.
IDP Mode	Deployment mode: sniffer, transparent, mixed. Note: Can only be changed with ACM.
Secondary Management Server IP	The IP address that the IDP device contacts if it cannot reach the current NSM server.
Software License Type	The type of license currently loaded on the IDP device. An evaluation license is good for one year.
Software License Expiration Date	The expiration date of the license currently loaded on the IDP device.
Security Police Name	The security policy assigned to the device. Selectable.

Modifying Antispoof Settings

You detect attacks that attempt to spoof the addresses of hosts in your protected network by associating IDP traffic interfaces with the addresses of hosts in your protected network. The IDP appliance then detects an IP spoof attack if:

An incoming packet uses an IP address that belongs to a network object on your internal network.
An outgoing packet uses an IP address that does not belong to a network object on your internal network.

Figure 2 shows the Anti-Spoof Settings page, where you can configure IP spoof detection.

Figure 2: NSM Device Configuration Editor: Anti-Spoof Settings Page

Image s036710.gif

To modify antispoof settings:

In NSM Device Manager, double-click the IDP device you want to modify to display the device configuration editor.
Click Anti-Spoof Settings.
Click the + icon to display the Anti-Spoof Settings dialog box.
Configure the antispoof settings described in Table 2.
Click Apply.
Click OK.

Table 2: IDP Device Configuration: Antispoof Settings

Setting	Function
Interface Name	Selects a forwarding interface to configure.
Logging	Enables logging for spoofed IP addresses.
Alarm	Enables alerts for spoofed IP addresses.
Check Other Interfaces	Indicates whether the device should check the status of other interfaces when determining spoofing.
Action	Specifies the action for the IDP device to take: None or Drop Packet.
Network Objects	Specifies the address objects you associate with the selected interface.

Modifying Runtime Parameters

Runtime parameters include options for tuning IDP detection methods. In general, you modify these settings only if you encounter false positives or performance issues.

Figure 3 shows the Run-time Parameters tab, where you can configure these settings.

Figure 3: NSM Device Configuration Editor: Run-time Parameters Tab

Image s036713.gif

To modify runtime parameters:

In NSM Device Manager, double-click the IDP device you want to modify to display the device configuration editor.
Click Sensor Settings.
Click the Run-time Parameters tab.
Modify the runtime settings described in Table 3.
Click Apply.
Click OK.

Table 3: IDP Device Configuration: Runtime Parameters

Setting	Description
Backdoor Detection	Minimum interval between consecutive small packets / Maximum interval between consecutive small packets–Controls the minimum and maximum intervals (in microseconds) between the arrival of two consecutive small packets in suspected interactive traffic. If the IDP device sees small packets arrive in less than the minimum or more than the maximum number of microseconds, it does not consider the traffic to be interactive. The defaults are 20,000 and 20,000,000. This means that consecutive small packets must arrive within 20,000 to 20,000,000 microseconds to be considered interactive.
	Byte threshold for packet sizes in a backdoor connection–Controls the maximum number of bytes a TCP packet must contain before the IDP device uses the packet for backdoor detection heuristics. The default is 20 bytes.
	Minimum number of data carrying TCP packets–Controls the minimum number of data-carrying TCP packets in suspected interactive traffic. The default is 20 packets.
	Minimum percentage of back-to-back small packets–Controls the minimum percentage of consecutive small packets in suspected interactive traffic. If the IDP device sees less than this percentage, it does not report a backdoor event. The default is 20%.
	Ratio of small packets to the total packets–Controls the minimum percentage of small packets that the IDP device uses for backdoor detection heuristics. If the IDP device sees less than this minimum, it does not report a backdoor event. The default is 20%.
Flow Management	Timeout for non-UDP/TCP/ICMP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.
	Timeout for UDP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.
	Timeout for TCP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.
	Timeout for ICMP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.
	Maximum UDP Sessions–Controls the maximum number of sessions that IDP maintains. If the IDP engine reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model. For example: IDP75 - 100,000 IDP250 - 300,000 IDP800 - 1,000,000 IDP8200 - 5,000,000
	Maximum TCP Sessions–Controls the maximum number of sessions that IDP maintains. If the IDP engine reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model. Defaults vary according to model. For example: IDP75 - 100,000 IDP250 - 300,000 IDP800 - 1,000,000 IDP8200 - 5,000,000
	Maximum ICMP Sessions–Controls the maximum number of sessions that the IDP device maintains. If the IDP engine reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model. Defaults vary according to model. For example: IDP75 - 100,000 IDP250 - 300,000 IDP800 - 1,000,000 IDP8200 - 5,000,000
	Maximum IP Sessions (non-UDP/TCP/ICMP)–Controls the maximum number of sessions that the IDP device maintains. If the IDP engine reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model. Defaults vary according to model. For example: IDP75 - 100,000 IDP250 - 300,000 IDP800 - 1,000,000 IDP8200 - 5,000,000
	Reset flow table with policy load/unload–Resets the flow table each time you load or unload a security policy. If you do not enable this option, the IDP engine maintains the flow table until all flows referencing that security policy have completed. This setting is enabled by default. We recommend that you keep this setting enabled to preserve memory. With this setting enabled, IDP resets the flow table when you install a new policy. When the flow table is reset, existing sessions are passed through uninspected. For IDP75 and IDP200, you cannot override the default. For high-end appliances, you can unset this default to avoid passing through sessions uninspected. If you unset this default, when you load a new policy, the IDP flow table will maintain sessions belonging to the previously installed policy as well as the newly installed policy. The IDP process engine will continue to use the previously installed security policy to inspect previous sessions; and use the newly installed security policy to inspect new sessions. When the previously installed policy is no longer in use, it is unloaded and all traffic is inspected using the newly installed policy. For IDP8200 and IDP250, the IDP engine can maintain flows for as many as two security policies. For IDP1100, IDP800, and IDP600, the IDP engine can maintain flows for as many as four security policies.
	Log flow related errors–Enables logging for flow-related errors. This setting is not enabled by default.
IP Actions	Reset block table with policy load/unload–Resets the IP action block table each time a security policy is loaded or unloaded. This table maintains IP addresses for connections to which the IP action block has been applied. This setting is enabled by default.
Intrusion Detection	Buffer flow emulator–Turns on buffer overflow emulation.
Intrusion Detection	Attack matches per packet when Signature Hierarchy take effect–Sets the threshold for activating signature hierarchy calculations. Common attack can be composed of several known vulnerabilities. Each vulnerability has an attack object, and each would generate a separate log entry if the signature hierarchy feature were disabled. For example, for a policy with critical, high, medium, low, and info attacks and logging enabled, a single detection of HTTP:IIS:COMMAND-EXEC attack generates the following logs: HTTP:IIS:COMMAND-EXEC [wininnt/system32/cmd.exe] (medium) HTTP:WIN-CMD:WIN-CMD-EXE [cmd.exe] (medium) HTTP:REQERR:REQ-MALFORMED-URL [anomaly for %xx] (medium) HTTP:DIR:TRAVERSE-DIRECTORY (anomaly for ../) (medium) HTTP:REQERR:REQ-LONG-UTF8CODE (anomaly for oe) (medium) TCP:AUDIT:BAD-SYN-NONSYN (info) HTTP:AUDIT:URL (info) TCP:AUDIT:BAD-SYN-NONSYN (info) If the number of attacks in a packet exceeds the set value, the IDP engine examines its signature hierarchy to see if some attacks are actually part of a larger attack. If so, only the parent attack is displayed in the logs. In this example, if the value was set to 9 or lower, only a log for HTTP:IIS:COMMAND-EXEC would be generated. An attack in the signature hierarchy may have multiple parents or multiple children. If a child attack is part of two discovered parents, the IDP engine takes action based on the parent with the highest severity. Specify 0 to disable.
Run-Time Parameters	RPC program timeout–Controls how long the IDP engine maintains information about an RPC server. The IDP engine performs a stateful inspection of all RPC messages on port 111, then builds a table of program-to-port mapping for each RPC server that it finds on the network. The default is 300 seconds.
	RPC transaction timeout–Controls RPC timeout. All RPC messages (port 111) are based on a request/response protocol. When the IDP engine receives a request, it adds the request to a request table. If the IDP engine does not receive an RPC reply in the specified timeout, the RPC entry times out. The default is 5 seconds.
	Exempt management server flows–Exempts NSM connections from processing. This setting is enabled by default.
	Fragment timeout –Controls when the IDP appliance drops an incomplete fragment chain because one or more fragments did not arrive. If the IDP engine does not receive missing fragments in the specified timeout, it generates a log (FRAGMENT_TIME_EXCEEDED). The default is 5 seconds.
	Minimum fragment size –Drops all IP fragments less than the specified size (bytes). The default is 0 bytes (no fragments are dropped).
	Maximum fragments per IP datagram–Controls size of the IP fragment chain. An IP datagram can be broken into many fragments which, when assembled, should not exceed 64 K. IP fragment processing is CPU and memory intensive. If the number of fragments in a chain exceeds this number, the IDP appliance drops the entire fragment chain. The default is 65,535 bytes.
	Maximum concurrent fragments in queue–Controls the maximum number of reassembled fragment chains. The IDP engine can perform pseudo reassembly of IP fragment chains. Once this limit is reached, the IDP appliance drops all new IP fragment chains and generates a log (TOO_MANY_FRAGMENTS). If your network produces a large number of IP fragments, such as those produced by Network File System (NFS), increase the number of fragments per chain to eliminate unnecessary logs. The default is 16 fragments.
	Log fragment related errors–Logs fragment related errors. This setting is not enabled by default.
	Enable GRE decapsulation support–Enables decapsulation and inspection of generic routing encapsulation (GRE) traffic. IDP Series supports inspection of IP-in-GRE or PPP-in-GRE encapsulated traffic. GRE decapsulation is not enabled by default.
	Enable GTP decapsulation support–Enables decapsulation and inspection of GPRS Tunneling Protocol (GTP) traffic. IDP Series supports decapsulation of UDP GTPv0 and GTPv1 only. GTP decapsulation is not enabled by default.
	Enable SSL decryption support–Enables SSL decryption and inspection. SSL decryption is not enabled by default.
SYN-Protector	Timeout for half-open SYN protected flows–Determines the number of seconds before the IDP engine closes a half-open SYN protected flow when the SYN Protector rulebase is in passive mode. The default is 5 seconds. A half-open SYN flow occurs during the TCP three-way handshake, after the client has sent a SYN/ACK packet to the server. The half-open connection is now in the SYN_RECV state, and is placed into a connection queue while it waits for an ACK or RST packet. The connection remains in the queue until the connection-establishment timeout expires and the half-open connection is deleted.
SYN-Protector	Lower SYNs-per-second threshold below which SYN Protector will be deactivated / Upper SYNs-per-second threshold above which SYN Protector will be activated–Determines when the SYN Protector rulebase is activated and deactivated. In relay mode, the SYN Protector rulebase is activated when the number of SYN packets per second is greater than the lower threshold. Relay mode does not use the upper threshold. In passive mode, the SYN Protector rulebase is activated when the number of SYN packets per second is greater than the sum of the lower and upper thresholds and deactivated when the number of SYNs-per-second falls below the lower threshold. The defaults are 1000 and 20. Using the defaults, the SYN Protector is activated when SYNs-per-second reach 1020 and deactivated when SYNs-per-second fall below 1000.
TCP Reassembler	Ignore packets in TCP flows where a SYN hasn't been seen–Ignores the absence of SYN flags in TCP flows. This is enabled by default.
	Timeout for connected, idle TCP flows–Controls the number of seconds that the IDP engine maintains connected (but idle) TCP flows. The default is 3600 seconds.
	Timeout for closed TCP flows–Controls the number of seconds that closed TCP flows are maintained in the flow table. When the IDP engine sees a RST packet or FIN/FIN+ACK packets on a TCP connection, it closes the connection flows. It drops any further packets for the closed flow, but does not delete existing, closed flows from the flow table. The default is 5 seconds.
	Timeout for CLOSE-WAIT/LAST-ACK TCP flows–Controls the number of seconds a connection is maintained while waiting for the final ACK. When a TCP connection closes, the IDP engine sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK. To improve IDP performance during heavy loads, decrease the timeout. Decreasing the timeout reduces the size of the flow table by closing connections sooner. The default is 120 seconds.
	Close flows as soon as a FIN is seen–Enables the IDP engine to quickly close a TCP connection after receiving a FIN packet. When a TCP connection closes, the IDP engine sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK. When enabled, the IDP engine maintains a connection waiting for a final ACK for 5 seconds, then closes the connection. This is enabled by default and recommended.
Traffic Signatures	Byte threshold for suspicious flows–Specifies a threshold for what the IDP engine considers a small packet. A scan typically uses small packets to access its targets. You can exclude suspicious flows that contain large packets to prevent false positives when detecting scans. If the IDP engine sees more than this maximum, it does not consider the connection to be a scan. The default is 20 bytes.
	Reporting frequency when scan is in progress –Controls how often the IDP engine generates "in progress" logs for a stealthy scan. Attackers can perform blatant scans very quickly, mapping your network in just a few seconds, but these scans typically trigger intrustion detection systems and leave evidence behind. Stealthy scans are performed over much longer time periods, lasting hours, days, or even weeks, making them more difficult to detect. The default is 30 seconds.
	The number of IP tracked for session rate –Controls the number of IP addresses tracked by the session rate counter. If the IDP engine sees more addresses than the maximum, it does not track the additional IP addresses. The default is 32,767 IP addresses.

Modifying Load-Time Parameters

Load-time parameters include options for tuning IDP performance. In general, you modify these settings only if you encounter performance issues.

Figure 4 shows the Load Time Parameters tab, where you can configure these settings.

Figure 4: NSM Device Configuration Editor: Load Time Parameters Tab

Image s036711.gif

To modify parameters:

In NSM Device Manager, double-click the IDP device you want to modify to display the device configuration editor.
Click Sensor Settings.
Click the Load Time Parameters tab.
Configure parameters as described in Table 4.
Click Apply.
Click OK.

Table 4: IDP Device Configuration: Load Time Parameters

Setting	Guideline
Flow table size	For improved IDP performance, modify the flow table size to limit the size of the connection table. This setting should reflect the maximum number of concurrent flows you expect to have at any one time. A TCP connection has about two flows per session, and a UDP connection has about three flows per session. The default setting is 100,000 concurrent flows. If you change this value, you have to restart the IDP device.
Enable application identification	The application identification feature is used to detect the session application regardless of port. We recommend you disable this feature only when troubleshooting.
Maximum number of Application Identification sessions	Specifies the maximum number of sessions where application identification is in use. The default is 50,000. Valid values are 0 - 200,000. We recommend you tune this setting only if you encounter issues.
Enable log suppression	Log suppression reduces the number of logs displayed in the Log Viewer by displaying a single record for multiple occurrences of the same event.
Include destination IPs while performing log suppression	When log suppression is enabled, multiple occurrences of events with the same source IP, Service, and matching attack object generate a single log record with a count of occurrences. If you enable this option, log suppression combines log records for events with the same destination IP.
Number of log occurrences after which log suppression begins	The number of identical log records received before suppression starts. The default is 1 (meaning log suppression begins with the first redundancy).
Maximum number of logs that log suppression can operate on	When log suppression is enabled, the IDP device must cache log records so that it can identify when multiple occurrences of the same event occur. This number represents the number of log records cached for this purpose. The default is 16,384 log records.
Time (seconds) after which suppressed logs will be reported	When log suppression is enabled, the IDP device maintains a count of multiple occurrences of the same event. This number represents the number of seconds that pass before the IDP appliance reports a single log entry containing the count of occurrences. The default is 10 seconds. Note: If the reporting interval is set too high, log suppression can negatively impact IDP performance.

Modifying Protocol Handling

The protocol anomaly detection methods identify traffic that deviates from RFC specifications. In general, you modify protocol thresholds and configuration settings only if you encounter false positives or performance issues.

Figure 5 shows the Protocol Thresholds and Configuration tab, where you can configure these settings.

Figure 5: NSM Device Configuration Editor: Protocol Thresholds and Configuration Tab

Image s036714.gif

To tune protocol anomaly detection thresholds:

In NSM Device Manager, double-click the IDP device you want to modify to display the device configuration editor.
Click Sensor Settings.
Click the Protocol Thresholds and Configuration tab.
Complete the configuration for protocol thresholds as described in Table 5.
Click Apply.
Click OK.

Table 5: IDP Device Configuration: Protocol Thresholds and Configuration Settings

Setting	Description
AIM	Maximum header length–Detects a header containing more bytes than the specified maximum. The default is 10,000 bytes.
	Maximum type-length-value length–Detects an AIM/ICQ type-length-value (TLV) containing more bytes than the specified maximum. A TLV is a tuple used for passing typed information to the protocol. The default is 8000 bytes.
	Maximum inter-client-message-block length–Detects an AIM/ICQ inter-client-message-block (ICMB) containing more bytes than the specified maximum. The default is 2000 bytes.
	Maximum filename length–Detects an AIM/ICQ filename containing more bytes than the specified maximum. The default is 10,000 bytes.
DHCP	Check to see if the source port of client's packets is 68–Detects DHCP traffic that originates from a port other than 68. This setting is not enabled by default.
DNS	Report unknown DNS parameters (high noise)–Detects and reports unknown DNS parameters. You must also configure an IDP rulebase rule to detect DNS anomalies. This setting is not enabled by default.
	Report unexpected DNS parameters (high noise)–Detects and reports unexpected DNS parameters. This setting is not enabled by default. You must also configure an IDP rulebase rule to detect DNS anomalies.
	Maximum length of a DNS UDP packet–Detects a DNS UDP packet containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum size of an NXT resource record –Detects an NXT resource record in a DNS request or response message that is larger than the specified maximum size. The default is 4096 bytes. This setting tunes the following protocol anomaly attack object: DNS_BIND_NXT_OVERFLOW (key is DNS:OVERFLOW:NXT-OVERFLOW).
	Maximum time of a DNS cache–Controls the maximum amount of time for a DNS query and reply. The default is 60 seconds.
	Maximum size of a DNS cache–Controls the maximum number of DNS queries kept to match a reply. The default is 100 queries.
FTP	Maximum Line length–Detects an FTP line containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum Username length–Detects an FTP username containing more bytes than the specified maximum. The default is 32 bytes.
	Maximum Password length–Detects an FTP password containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Pathname length–Detects an FTP pathname containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum Sitestring length–Detects an FTP sitestring containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum number of login failures per minute–Detects more FTP login failures in one minute than the specified maximum. The default is 4 FTP login failures per minute.
GNUTELLA	Maximum TTL hops–Detects a number of TTL hops that is higher than the specified maximum. The default is 8 TTL hops.
	Maximum line length–Detects, in a Gnutella connection, a line that contains more bytes than the specified maximum. The default is 2048 bytes.
	Maximum query size–Detects a Gnutella client query that contains more bytes than the specified maximum. The default is 256 bytes.
GOPHER	Maximum line length–Detects, in a Gopher server-to-client connection, a line sent by a Gopher server to a client that contains more bytes than the specified maximum. The default is 512 bytes.
GOPHER	Maximum hostname length–Detects, in a Gopher server-to-client connection, a hostname that contains more bytes than the specified maximum. The default is 64 bytes.
HTTP	Maximum Request length–Detects an HTTP request that contains more bytes than the specified maximum. The default is 8192 bytes.
	Maximum Header length–Detects an HTTP header that contains more bytes than the specified maximum. The default is 8192 bytes.
	Maximum Cookie length–Detects a cookie that contains more bytes than the specified maximum. The default is 8192 bytes. Cookies that exceed the cookie length setting can match theHTTP-HEADER-OVERFLOW protocol anomaly and produce unnecessary log records. If you are getting too many log records for the HTTP-HEADER-OVERFLOW protocol anomaly, increase the maximum cookie length.
	Maximum Authorization length–Detects an HTTP header authorization line that contains more bytes than the specified maximum. The default is 512 bytes. Use this setting to tune results from the Auth Overflow attack object (key is HTTP:OVERFLOW:AUTH-OVFLW).
	Maximum Content-type length–Detects an HTTP header content-type that contains more bytes than the specified maximum. The default is 512 bytes.
	Maximum User-agent length–Detects an HTTP header user-agent that contains more bytes than the specified maximum. The default is 256 bytes.
	Maximum Host length–Detects an HTTP header host that contains more bytes than the specified maximum. The default is 64 bytes.
	Maximum Referrer length–Detects an HTTP header referrer that contains more bytes than the specified maximum. The default is 8192 bytes.
	Use alternate ports as http service–Detects HTTP traffic on the following ports in addition to tcp/80: 7001; 8000; 8001; 8100; 8200; 8080; 8888; 9080. This setting is enabled by default. Note: In IDP 5.0 and later, this setting is no longer functional. The IDP engine now automatically detects HTTP traffic over any port.
	Maximum number of login failures per-minute–Detects login failures more frequent than the specified maximum. The default is 4 HTTP authentication failures per minute. This setting tunes the BRUTE_FORCE attack object.
	Maximum number of 301/403/404 or 405 errors per-minute–Detects 301/403/404/405 errors more frequent than the specified maximum. The default is 16 HTTP errors per minute.
ICMP	Maximum Packets per second to trigger a flood–Raises a protocol anomaly if IDP detects more ICMP packets than the specified maximum. The default is 250 packets per second.
ICMP	Minimum time interval (in seconds) between packets–Detects ICMP packets that have less than the specified minimum time interval between them. The default is 1 second. Use this setting to tune the Flood attack object (ICMP:EXPLOIT:FLOOD).
IDENT	Maximum requests per session–Detects more IDENT (identification protocol) requests than the specified maximum. The default is 1 request per session. This setting tunes the Too Many Requests attack object (key is IDENT:OVERFLOW:REQUEST-NUM).
	Maximum Request length–Detects an IDENT request containing more bytes than the specified maximum. The default is 15 bytes. This setting tunes the Request Too Long attack object (key is IDENT:OVERFLOW:REQUEST).
	Maximum Reply length–Detects an IDENT reply containing more bytes than the specified maximum. The default is 128 bytes. This setting tunes the Reply Too Long attack object (key is IDENT:OVERFLOW:REPLY).
IKE	Maximum number of payloads in an IKE message–Detects an IKE message with a number of payloads larger than the specified maximum. The default is 57 payloads. This setting tunes detection with the TOO-MANY-PAYLOADS attack object (key is IKE:MALFORMED:2MANY-PAYLOAD).
IMAP	Maximum line length–Detects an IMAP line containing more bytes than the maximum. The default is 2048 bytes.
	Maximum Username length–Detects an IMAP username containing more bytes than the maximum. The default is 64 bytes.
	Maximum Password length–Detects an IMAP password containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Mailbox length–Detects an IMAP mailbox containing more than the maximum. The default is 64 bytes.
	Maximum Reference length–Detects an IMAP reference containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Flag length–Detects an IMAP flag containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Literal length–Detects a literal with more octets than the specified maximum. In IMAP4 protocol, a string can be in one of two forms: literal and quoted. As defined in RFC 2060 4.3, a literal is a sequence of zero or more octets (including CR and LF), prefix-quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"), and CRLF. Valid range is 1 to 16,777,215. The default is 65,535 bytes. This setting tunes detection with the imap_literal_length_overflow attack object (key is IMAP:OVERFLOW:LIT_LENGTH_OFLOW).
	Maximum number of login failures per minute–Detects a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 IMAP login failures per minute.
IRC	Maximum Password length–Detects an Internet Relay Chat (IRC) password containing more bytes than the specified maximum. The default is 16 bytes.
	Maximum Username length–Detects an IRC username containing more bytes than the specified maximum. The default is 16 bytes.
	Maximum Channel length–Detects an IRC channel name containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Nickname length–Detects an IRC nickname containing more bytes than the specified maximum. The default is 16 bytes.
LDAP	Maximum length of integer representation in BER encoding–Detects an integer field of the LDAP BER containing more bytes than the specified maximum. The default is 4 bytes.
	Maximum number of left zeros for tag in BER encoding–Detects more left zeros in any tag in LDAP BER encoding than the specified maximum. The default is 4 left zeros.
	Maximum value of any LDAP tag in BER encoding–Detects a value for a tag that can be seen in the LDAP BER encoding that is greater than the specified maximum. LDAP tags are represented using 1 byte, with the top 3 bits reserved. The default is 31.
	Maximum number of left zeros for length in BER encoding–Detects more left zeros in any length field in LDAP BER encoding than the specified maximum. The default is 64 left zeros.
	Maximum number of search results requested by LDAP client–Detects an LDAP client request for more matching entries than the specified maximum. The default is 0 (indicating no limit).
	Maximum timelimit for search result requested by LDAP client–Detects a time limit greater than the specified maximum. The time limit is the number of seconds before a client request times out waiting for a response from the server. The default is 0 (indicating no limit).
	Maximum length of an LDAP Attribute Descriptor–Detects a length of an attribute descriptor field in an LDAP message containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum length of an LDAP Distinguished Name–Detects a length of a distinguished name field in the LDAP message containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum value of Message id in any LDAP Message –Detects a message ID greater than the specified maximum. The default is 2,147,483,647.
	Maximum length of an LDAP message–Detects an LDAP message that will be processed by the LDAP subsystem larger than the specified maximum. The default is 8100 bytes. This setting tunes the MESSAGE_TOO_LONG attack object. If IDP raises this anomaly, it logs the event and skips the message.
	Maximum number of nested operators in an LDAP search request–Detects a number of nested levels allowed in an LDAP search request filter argument greater than the specified maximum. The default is 8 nested operators.
	Maximum Number of Login Failures Per Minute–Detects a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 LDAP login failures per minute.
LPR	Maximum Sub-command length in RECEIVE-JOB Command–Detects in a Line Printer Protocol (LPR) control file a subcommand line containing more bytes than the specified maximum. LPR is a TCP-based print server protocol used by line printer daemons (client and server) to communicate over networks. An LPR client uses the LPR protocol to send a print command to an LPR server (a line printer) at TCP/515. After the print command is received by the server, the client can issue subcommands to the server and send control and data files. Control files tell the line printer which functions to perform when printing the file; data files carry the payload. The default is 256 bytes.
	Maximum Reply length from server–Detects an LPR control filename containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Control filename length–Detects an LPR control filename containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Data filename length–Detects a data filename containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Control file size–Detects an LPR control file size greater than the specified maximum. The default is 1024 bytes.
	Maximum Data file size–Detects an LPR data file size greater than the specified maximum. The default is 64 bytes.
	Maximum Banner string length–Detects an LPR banner string containing more bytes than the specified maximum. A banner string is typically the filename of the print job. The default is 32 bytes.
	Maximum E-mail length–Detects an LPR control file e-mail address containing more bytes than the specified maximum. After the file has printed, it is sent to the e-mail address specified in the control file. The default is 32 bytes.
	Maximum Symbolic link length–Detects in an LPR control file a symbolic link containing more bytes than the specified maximum. A symbolic link is a file that points to another file (entry) in a UNIX file system, but does not contain the data in the target file. When the LPR protocol receives a symbolic link command in a control file, it records the symbolic link data for the print job filename to prevent directory entry changes from reprinting the file. The default maximum is 128 bytes.
	Maximum font length–Detects in an LPR control file a font name containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum filename length for format related sub commands–Detects in an LPR control file a format-related filename containing more bytes than the specified maximum. The default is 32 bytes.
MSN	Maximum Username length–Detects an MSN (Microsoft Instant Messaging) username containing more bytes than the specified maximum. The default is 84 bytes.
	Maximum Display name length–Detects an MSN display name containing more bytes than the specified maximum. The default is 128 bytes.
	Maximum Group name length–Detects an MSN group name containing more bytes than the specified maximum. The default is 84 bytes.
	Maximum User state length–Detects an MSN user state containing more bytes than the specified maximum. A user state is a three-letter code that indicates the status of the user's connection (online, offline, idle, and the like). The default is 10 bytes.
	Maximum Phone number length–Detects a phone number containing more bytes than the specified maximum. The default is 20 bytes.
	Maximum Length of IP:port–Detects an IP:port parameter containing more bytes than the specified maximum. An IP:port parameter indicates the IP address and port number of the MSN server for a switchboard session. The default is 30 bytes.
	Maximum URL length–Detects a URL containing more bytes than the specified maximum. The default is 1024 bytes.
MSRPC	Maximum fragment length in MSRPC message–Detects an MSRPC (Microsoft Remote Procedure Call) message with a fragment length greater than the specified maximum. The default is 8192.
	Maximum tower data length in endpoint mapper messages–Detects an endpoint mapper message with a tower data length greater than the specified maximum. The default is 8192.
	Maximum number of entries in an insert message–Detects an MSRPC insert message with more entries than the specified maximum. The default is 100 entries.
NFS	Maximum name length–Detects an NFS packet name containing more bytes than the specified maximum. The default is 256 bytes.
	Maximum path length–Detects an NFS packet pathname containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum buffer length for read/write–Detects an NFS read/writer buffer larger than the specified maximum. The default is 32,768 bytes.
NTP	Minimum time (in seconds) between two requests–Detects that the time between two client-to-server NTP requests is greater than the specified maximum. Valid values range from 64 to 1024 seconds. The default is 0 seconds (which turns the feature off).
	Maximum length for NTPv3 message–Detects an NTPv3 message containing more bytes than the specified maximum. The default is 68 bytes.
	Maximum length for NTPv4 message–Detects an NTPv4 message containing more bytes than the specified maximum. The default is 68 bytes.
	Maximum stratum value for any NTP peer–Detects a stratum value larger than the specified maximum. The default is 15 bytes.
	Maximum time since last update of Reference clock–Detects that the NTP reference clock has not been updated in more time than the specified maximum. The default is 86,400 seconds.
	Match timestamps on NTP request and response–Enables the IDP engine to perform timestamp matching on client requests and server responses. With this setting enabled, the IDP engine expects the server response original timestamp to match the client request transmit timestamp; otherwise it considers the packet a possible protocol anomaly. This setting is enabled by default.
	Maximum Authorization field length in NTP control message–Detects that the length of the Authentication field in an NTP control message is larger than the specified maximum. The default is 20 bytes.
	Maximum length of any NTP control variable–Detects that the length of the NTP control data variable name is larger than the specified maximum. The default is 128 bytes.
	Maximum length of any NTP variable value–Detects that the length of any NTP control data variable value is larger than the specified maximum. The default is 255 bytes.
	Maximum length of buffer to store between control packets–Detects that the buffer used to store NTP control messages is greater than the specified maximum. NTP control messages can be split across multiple UDP packets. The default is 255 bytes.
	Maximum time for an NTP Symmetric passive association to dissolve–Specifies the duration in seconds after which the IDP engine considers an NTP symmetric passive association as expired. A symmetric passive association between two NTP peers must be dissolved after sending one reply. The default is 900 seconds.
POP3	Maximum Line length–Detects a POP3 line containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum Username length–Detects a POP3 username containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Password length–Detects a POP3 password containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum APOP length–Detects an APOP containing more bytes than the specified maximum. The default is 100 bytes.
	Maximum message number–Detects a POP3 message number that is higher than the specified maximum. The default is 1,000,000.
	Maximum Number of Login Failures Per Minute–Raises a BRUTE_FORCE protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 POP3 login failures per minute.
RADIUS	Maximum Number of Authenticated Failures Per Minute–Raises a BRUTE_FORCE protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 RADIUS login failures per minute.
SIP	Max Forwards Threshold–Detects if the value in the Max-Forwards header field is greater than the specified value. The default is 70.
SMB	Maximum registry key length–Detects an SMB registry key containing more bytes than the specified maximum. The default is 8192 bytes.
SMB	Maximum Number of Login Failures Per Minute–Raises a BRUTE_FORCE protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 SMB login failures per minute.
SMTP	Maximum Number of mail recipients–Detects an SMTP message containing more recipients than the specified maximum. The default is 100 recipients.
	Maximum Username length in RCPT and MAIL–Detects an SMTP message with a username containing more bytes than the specified maximum. The default is 256 bytes.
	Maximum Domain name length in RCPT and MAIL–Detects an SMTP message with a domain name containing more bytes than the specified maximum. The default is 64 bytes.
	Maximum Path length in RCPT and MAIL–Detects an SMTP message with a pathname containing more bytes than the specified maximum. The default is 256 bytes.
	Maximum Command line length (before DATA)–Detects an SMTP message with a command-line entry containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum Reply line length from server (default)–Detects an SMTP message with a reply line from the server containing more bytes than the specified maximum. The default is 512 bytes.
	Maximum Text line length (after DATA)–Detects an SMTP text line containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum number of nested mime multi-part attachments–Detects more nested attachments than the specified maximum. The default is 4 nested mime multi-part attachments.
	Maximum number of base-64 bytes to decode–Detects more bytes of encoded mime data than the specified maximum. The default is 64 bytes.
	Maximum length of the value for content-type's name attribute–Detects a name attribute in the content-type header containing more bytes than the specified maximum. The default is 128 bytes.
	Maximum length of the value for the content-disposition's filename attribute–Detects a filename attribute in the content-disposition header containing more bytes than the specified maximum. The default is 128 bytes.
	Look for email headers in message data–Controls whether the IDP engine looks for e-mail headers in the message data, which can occur when a bounced e-mail contains an attachment. This setting is not enabled by default.
SYSLOG	Validate RFC-3164 compliant timestamp format–Raises a protocol anomaly if the timestamp in syslog traffic is not compliant with RFC 3164. This setting is not enabled by default.
TELNET	Maximum Number of Login Failures Per Minute–Raises a BRUTE_FORCE protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 Telnet login failures per minute.
TFTP	Maximum filename length–Detects a filename containing more bytes than the specified maximum. The default is 128 bytes.
VNC	Maximum Reason string length–Detects a VNC (Virtual Network Computing) reason string length greater than the specified maximum. A reason string contains the text that describes why a connection between a VNC server and client failed. The default is 512 bytes.
	Maximum Display name length–Detects a VNC display name containing more bytes than the specified maximum. The default is 128 bytes.
	Maximum cut text length–Detects a VNC cut text buffer containing more bytes than the specified maximum. The default is 4096 bytes.
	Verify message after the initial handshake–Enables the IDP engine to verify VNC connections after the initial handshake. This setting is not enabled by default.
	Maximum Number of Login Failures Per Minute–Raises a BRUTE_FORCE protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 VNC login failures per minute.
WHOIS	Maximum Request length–Detects a WHOIS request containing more bytes than the specified maximum. The default is 128 bytes.
YMSG	Maximum Message length–Detects a Yahoo! Messenger message with a header that indicates more bytes for the total message than the specified maximum. The default is 8192 bytes.
	Maximum Username length–Detects a Yahoo! Messenger username containing more bytes than the specified maximum. The default is 84 bytes.
	Maximum Groupname length–Detects a Yahoo! Messenger group name containing more bytes than the specified maximum. The default is 84 bytes.
	Maximum Crypt length–Detects a Yahoo! Messenger encrypted password containing more bytes than the specified maximum. The default is 124 bytes.
	Maximum Instant message length–Detects a Yahoo! Messenger message containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum Activity string length–Detects a Yahoo! Messenger activity data type containing more bytes than the specified maximum. The default is 8000 bytes.
	Maximum Challenge length–Detects a Yahoo! Messenger challenge containing more bytes than the specified maximum. The default is 15 bytes.
	Maximum Cookie length–Detects a Yahoo! Messenger cookie containing more bytes than the specified maximum. The default is 84 bytes.
	Maximum URL length–Detects a Yahoo! Messenger Web Name containing more bytes than the specified maximum. The default is 400 bytes.
	Maximum Conference message length–Detects a Yahoo! Messenger join conference message containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum Conference name length–Detects a Yahoo! Messenger conference name containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum E-mail length–Detects a Yahoo! Messenger new e-mail alert containing an e-mail that has more bytes than the specified maximum. The default is 84 bytes.
	Maximum E-mail subject length–Detects an Yahoo! Messenger e-mail subject line containing more bytes than the specified maximum. The default is 128 bytes. This setting tunes the Mail Subject Overflow attack object (key is CHAT:YIM:OVERFLOW:MAIL-SUBJECT).
	Maximum Filename length–Detects a Yahoo! Messenger file transfer containing a filename that has more bytes than the specified maximum. The default is 1000 bytes.
	Maximum Chatroom name length–Detects a Yahoo! Messenger chat room name containing more bytes than the specified maximum. The default is 1024 bytes.
	Maximum Chatroom message length–Detects a Yahoo! Messenger chat room message containing more bytes than the specified maximum. The default is 2000 bytes.
	Maximum buddy list length–Detects a Yahoo! Messenger buddy list containing more bytes than the specified maximum. The default is 8000 bytes.
	Maximum webcam key length –Detects a Yahoo! Messenger Webcam key containing more bytes than the specified maximum. The default is 124 bytes.