Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

     
     

    Example: Using the Within Packets Constraint with Compound Attack Objects

    With compound attack objects, you can use the within packets constraint to add logic that reduces false positives.

    You can select members one at a time and set a lower and upper limit for each one. The packet range for each member is from start-of-stream. The complete pattern for the member must be found within the range indicated.

    For the within packets constraint, when you select two members and apply a packet constraint to them, the packet containing the first match is counted as packet 0. If your research shows that, in a particular attack, two patterns always appear within 1 or 2 packets you can select member 1 and member 2 and specify a range of 1-2. This specifies that the second pattern must occur within one or two packets from the first pattern.

    If you know that the traffic pattern is an attack only when member 1 occurs before member 2, you can use a Boolean ordered AND to specify the order in which the patterns must appear. In this example, if you use a Boolean ordered AND and specify a range of 1-2, the traffic matches only if the member 2 pattern occurs one or two packets after the packet in which the member 1 pattern is found.

     
     

    Published: 2011-02-08