Configuring Backdoor Rulebase Rules (NSM Procedure)
The Backdoor rulebase detects the kind of interactive traffic produced during backdoor attacks.
Figure 1 shows the Backdoor rulebase in the NSM security policy editor, where you can modify Backdoor rules. Table 1 describes the rule settings you can configure.
Figure 1: NSM Security Policy Editor: Backdoor Rulebase
To create Backdoor rulebase rules:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy to which you want to add Backdoor rulebase rules.
- Add the Backdoor rulebase by clicking the + icon in the upper right region of the policy viewer and selecting Add Backdoor Rulebase.
- Add a rule by clicking the + icon within the rules viewer.
- Modify rule settings by right-clicking the table cell for the setting and making your selection.
- Click OK to save your changes.
Table 1: Backdoor Rulebase Rule Settings
Setting | Function |
|---|---|
No. | Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection. |
Match | Sets source, destination, and service matches. |
Operation | Detect–Enables detection of interactive traffic. |
Ignore–Disables detection of interactive traffic. | |
Action | Accept–Accepts the interactive traffic. |
Drop Connection–Drops the interactive connection without sending an RST packet to the sender, preventing the traffic from reaching its destination. Use this action to drop connections for traffic not prone to spoofing. | |
Close Client and Server–Closes the interactive connection and sends an RST packet to both the client and the server. If the IDP appliance is in sniffer mode, it sends an RST packet to both the client and server but does not close the connection. | |
Close Client–Closes the interactive connection to the client but not to the server. | |
Close Server–Closes the interactive connection to the server but not to the client. | |
Notification | Sets logging and packet capture options. |
VLAN Tag | Sets VLAN tag matches. |
Severity | Sets severity ratings. |
Install On | Specifies target IDP devices for the rule. By default, IDP security policy rules can be applied to any IDP device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP devices to which the rule can be installed. |
Comments | Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule. |
If necessary, you can use the NSM Device Manager to tune the thresholds for backdoor detection. Figure 2 shows the backdoor detection settings in the NSM Device Manager configuration editor.
Figure 2: NSM Device Manager: Sensor Settings > Run-Time Parameters
