No.

Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection.

Match

Sets match criteria for source, destination, and service.

Traffic Anomalies

Ignore–Turns off traffic anomaly detection for traffic that matches the rule.

Detect–Turns on detection for traffic that matches the rule and displays the View Detect Options dialog box where you can set detection settings.

Table 2 describes the Traffic Anomalies rulebase detection settings that you can set in the View Detection Options dialog box.

IP Action

Sets IP block, close connection, or notify settings.

Notification

Sets logging settings.

Note: Packet capture is not available for Traffic Anomalies rulebase rules.

VLAN Tag

Sets match criteria for VLAN tags.

Severity

Sets severity ratings.

Install On

Specifies target IDP devices for the rule. By default, IDP security policy rules can be applied to any IDP device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP devices to which the rule can be installed.

Comments

Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule.

TCP scans, UDP Port Scans

Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

The default port count is 20. The default time threshold is 120 seconds. The rule is matched if the same source scans 20 TCP ports on your internal network within 120 seconds or if the same source scans 20 UDP ports on your internal network within 120 seconds.

Distributed Port Scan

A distributed port scan is an attack that uses multiple source IP addresses to scan ports.

Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if 50 IP addresses attempt to scan ports on your internal network within 120 seconds.

ICMP Sweep

An ICMP sweep is an attack where a single source IP pings multiple IP addresses.

Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if the same source IP attempts to ping 50 IP addresses within 120 seconds.

Network Scan

A network scan is an attack where a single source IP scans multiple IP addresses

Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if the same source IP attempts to scan 50 IP addresses within 120 seconds.

Session Limit

Sets a threshold number of sessions allowed from a single host within a second. The default is 100 sessions.

For example, assume your internal network typically has low volume traffic. To detect a sudden increase in traffic from a specific host (which might indicate a worm), configure a rule that matches traffic over your internal network and configure a limit of 200. To block traffic that exceeds the session limit, set the rule IP Action to IDP Block and set Blocking Options to Source, Protocol.