Although you cannot create application signatures, you can configure
sensor settings to limit the number of sessions running application
identification and also limit memory usage for application identification.
Memory limit for a session—You can configure the
maximum amount of memory bytes that can be used to save packets for
application identification for one TCP or UDP session. You can also
configure a limit for global memory usage for application identification.
Application identification is disabled for a session after the system
reaches the specified memory limit for the session. However, IDP continues
to match patterns. Matched application is saved to cache so that the
next session can use it. This prevents the system from attackers trying
to bypass application identification by purposefully sending large
Number of sessions—You can configure the maximum
number of sessions that can run application identification at the
same time. Application identification is disabled after the system
reaches the specified number of sessions. You limit the number of
sessions so that you can prevent a denial-of-service (DOS) attack,
when too many connection requests overwhelm and exhaust all the allocated
resources on the system.
In the configuration instructions for this example, you configure
the limit so that only 600 sessions can run application identification
at the same time. You also configure 5000 memory bytes as
the maximum amount of memory that can be used for saving packets for
application identification for one TCP session.
You can use either J-Web or the CLI configuration editor to
configure memory and session limits for application identification.