Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     
     

    Modifying the IDP Series Device Configuration

    You do not need to modify the IDP Series device configuration to get started with your deployment. The default settings are appropriate for most deployments. As you learn how the IDP Series device handles your network traffic, you can use Network and Security Manager (NSM) to modify the IDP Series device properties described in this section to optimize performance and reduce false positives.

    This section includes the following topics:

    Modifying NSM Informational Properties

    NSM informational properties are management object parameters you created when you added the device to the NSM Device Manager, as well as inventory data, including the installed software and firmware versions. Figure 1 shows the Info page, where you can modify these properties.

    Figure 1: NSM Device Configuration Editor: Info Page

    NSM Device Configuration Editor:
Info Page

    To modify NSM informational properties:

    1. In NSM Device Manager, double-click the IDP Series device you want to modify to display the device configuration editor, which opens by default to the Info page.
    2. Configure the informational settings described in Table 1.
    3. Click Apply.
    4. Click OK.

    Table 1: IDP Series Device Configuration: Info Settings

    Setting

    Description

    Name

    The name of the IDP Series device in NSM. Editable.

    Color

    The color of the IDP Series device icon in NSM. Selectable.

    Platform

    The IDP Series device hardware model number.

    Managed OS Version

    The major OS version.

    Running OS Version

    The precise OS version installed on the device.

    IP Address

    The IDP Series device management port IP address.

    Note: Can only be changed with ACM.

    Serial Number

    The product serial number.

    IDP Detector Version

    The version of the IDP detector engine installed on the device.

    IDP Mode

    Deployment mode: sniffer, transparent, mixed.

    Note: Can only be changed with ACM.

    Secondary Management Server IP

    The IP address that the IDP Series device contacts if it cannot reach the current NSM server.

    Software License Type

    The type of license currently loaded on the IDP Series device. An evaluation license is good for one year.

    Software License Expiration Date

    The expiration date of the license currently loaded on the IDP Series device.

    Security Police Name

    The security policy assigned to the device. Selectable.

    Modifying Antispoof Settings

    You detect attacks that attempt to spoof the addresses of hosts in your protected network by associating IDP Series traffic interfaces with the addresses of hosts in your protected network. The IDP Series appliance then detects an IP spoof attack if:

    • An incoming packet uses an IP address that belongs to a network object on your internal network.
    • An outgoing packet uses an IP address that does not belong to a network object on your internal network.

    Figure 2 shows the Anti-Spoof Settings page, where you can configure IP spoof detection.

    Figure 2: NSM Device Configuration Editor: Anti-Spoof Settings Page

    NSM Device Configuration Editor:
Anti-Spoof Settings Page

    To modify antispoof settings:

    1. In NSM Device Manager, double-click the IDP Series device you want to modify to display the device configuration editor.
    2. Click Anti-Spoof Settings.
    3. Click the + icon to display the Anti-Spoof Settings dialog box.
    4. Configure the antispoof settings described in Table 2.
    5. Click Apply.
    6. Click OK.

    Table 2: IDP Series Device Configuration: Antispoof Settings

    Setting

    Function

    Interface Name

    Selects a forwarding interface to configure.

    Logging

    Enables logging for spoofed IP addresses.

    Alarm

    Enables alerts for spoofed IP addresses.

    Check Other Interfaces

    Indicates whether the device should check the status of other interfaces when determining spoofing.

    Action

    Specifies the action for the IDP Series device to take: None or Drop Packet.

    Network Objects

    Specifies the address objects you associate with the selected interface.

    Modifying Runtime Parameters

    Runtime parameters include options for tuning IDP Series detection methods. In general, you modify these settings only if you encounter false positives or performance issues.

    Figure 3 shows the Run-time Parameters tab, where you can configure these settings.

    Figure 3: NSM Device Configuration Editor: Run-time Parameters Tab

    NSM Device Configuration Editor: Run-time
Parameters Tab

    To modify runtime parameters:

    1. In NSM Device Manager, double-click the IDP Series device you want to modify to display the device configuration editor.
    2. Click Sensor Settings.
    3. Click the Run-time Parameters tab.
    4. Modify the runtime settings described in Table 3.
    5. Click Apply.
    6. Click OK.

    Table 3: IDP Series Device Configuration: Runtime Parameters

    Setting

    Description

    Backdoor Detection

    Minimum interval between consecutive small packets / Maximum interval between consecutive small packets–Controls the minimum and maximum intervals (in microseconds) between the arrival of two consecutive small packets in suspected interactive traffic. If the IDP engine sees small packets arrive in less than the minimum or more than the maximum number of microseconds, it does not consider the traffic to be interactive.

    The defaults are 20,000 and 20,000,000. This means that consecutive small packets must arrive within 20,000 to 20,000,000 microseconds to be considered interactive.

    Byte threshold for packet sizes in a backdoor connection–Controls the maximum number of bytes a TCP packet must contain before the IDP engine uses the packet for backdoor detection heuristics. The default is 20 bytes.

    Minimum number of data carrying TCP packets–Controls the minimum number of data-carrying TCP packets in suspected interactive traffic. The default is 20 packets.

    Minimum percentage of back-to-back small packets–Controls the minimum percentage of consecutive small packets in suspected interactive traffic. If the IDP engine sees less than this percentage, it does not report a backdoor event. The default is 20%.

    Ratio of small packets to the total packets–Controls the minimum percentage of small packets that the IDP engine uses for backdoor detection heuristics. If the IDP engine sees less than this minimum, it does not report a backdoor event. The default is 20%.

    Flow Management

    Timeout for non-UDP/TCP/ICMP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout for UDP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout for TCP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout for ICMP flows–Controls idle flow. Each connection through the security module typically has two flows, one in each direction. If the IDP engine does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Maximum TCP Sessions–Controls the maximum number of TCP sessions. If the IDP system reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model, as shown in the following table.

    Model

    Default

    Minimum

    Maximum1

    IDP75

    40,000

    0

    100,000

    IDP250

    125,000

    0

    300,000

    IDP800

    400,000

    0

    1,000,000

    IDP82002

    400,000

    0

    500,000

    IDP200

    50,000

    0

    70,000

    IDP600

    100,000

    0

    220,000

    IDP1100

    200,000

    0

    500,000

    1For all entries except IDP8200, the maximum session limit shown is also the device session limit. We recommend that the sum of “max sessions” you configure for TCP, UDP, ICMP, and Other not exceed the device session limit. The user interface does not enforce this, so do a quick calculation whenever you change these settings. If you increase TCP, decrease UDP in proportion. Otherwise, you might encounter a traffic load that leads to undesirable results, such as drops for all traffic when the device limit is reached.

    2For IDP8200, the limits shown are configured for each core IDP engine. There are six core IDP engines. The sum of “max sessions” you configure for IDP8200 can be 1,000,000 per core IDP engine. The IDP8200 device session limit rating is 6,000,000.

    Maximum UDP Sessions–Controls the maximum number of UDP sessions. If the IDP system reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log.

    Model

    Default

    Minimum

    Maximum1

    IDP75

    40,000

    0

    100,000

    IDP250

    125,000

    0

    300,000

    IDP800

    400,000

    0

    1,000,000

    IDP82002

    400,000

    0

    500,000

    IDP200

    10,000

    0

    70,000

    IDP600

    100,000

    0

    220,000

    IDP1100

    200,000

    0

    500,000

    1For all entries except IDP8200, the maximum session limit shown is also the device session limit. We recommend that the sum of “max sessions” you configure for TCP, UDP, ICMP, and Other not exceed the device session limit. The user interface does not enforce this, so do a quick calculation whenever you change these settings. If you increase TCP, decrease UDP in proportion. Otherwise, you might encounter a traffic load that leads to undesirable results, such as drops for all traffic when the device limit is reached.

    2For IDP8200, the limits shown are configured for each core IDP engine. There are six core IDP engines. The sum of “max sessions” you configure for IDP8200 can be 1,000,000 per core IDP engine. The IDP8200 device session limit rating is 6,000,000.

    Maximum ICMP Sessions–Controls the maximum number of ICMP sessions. If the IDP system reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model, as shown in the following table.

    Model

    Default

    Minimum

    Maximum1

    IDP75

    10,000

    0

    100,000

    IDP250

    25,000

    0

    300,000

    IDP800

    100,000

    0

    1,000,000

    IDP82002

    100,000

    0

    500,000

    IDP200

    5,000

    0

    70,000

    IDP600

    10,000

    0

    220,000

    IDP1100

    50,000

    0

    500,000

    1For all entries except IDP8200, the maximum session limit shown is also the device session limit. We recommend that the sum of “max sessions” you configure for TCP, UDP, ICMP, and Other not exceed the device session limit. The user interface does not enforce this, so do a quick calculation whenever you change these settings. If you increase TCP, decrease UDP in proportion. Otherwise, you might encounter a traffic load that leads to undesirable results, such as drops for all traffic when the device limit is reached.

    2For IDP8200, the limits shown are configured for each core IDP engine. There are six core IDP engines. The sum of “max sessions” you configure for IDP8200 can be 1,000,000 per core IDP engine. The IDP8200 device session limit rating is 6,000,000.

    Maximum IP Sessions (non-UDP/TCP/ICMP)–Controls the maximum number of other IP-based sessions. If the IDP system reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model, as shown in the following table.

    Model

    Default

    Minimum

    Maximum1

    IDP75

    10,000

    0

    100,000

    IDP250

    25,000

    0

    300,000

    IDP800

    100,000

    0

    1,000,000

    IDP82002

    100,000

    0

    500,000

    IDP200

    5,000

    0

    70,000

    IDP600

    10,000

    0

    220,000

    IDP1100

    50,000

    0

    500,000

    1For all entries except IDP8200, the maximum session limit shown is also the device session limit. We recommend that the sum of “max sessions” you configure for TCP, UDP, ICMP, and Other not exceed the device session limit. The user interface does not enforce this, so do a quick calculation whenever you change these settings. If you increase TCP, decrease UDP in proportion. Otherwise, you might encounter a traffic load that leads to undesirable results, such as drops for all traffic when the device limit is reached.

    2For IDP8200, the limits shown are configured for each core IDP engine. There are six core IDP engines. The sum of “max sessions” you configure for IDP8200 can be 1,000,000 per core IDP engine. The IDP8200 device session limit rating is 6,000,000.

    Reset flow table with policy load/unload–Resets the flow table each time you load or unload a security policy. If you do not enable this option, the IDP system maintains the flow table until all flows referencing that security policy have completed. This setting is enabled by default. We recommend that you keep this setting enabled to preserve memory.

    With this setting enabled, IDP system resets the flow table when you install a new policy. When the flow table is reset, existing sessions are passed through uninspected. For IDP75 and IDP200, you cannot override the default.

    For high-end devices, you can unset this default to avoid passing through sessions uninspected. If you unset this default, when you load a new policy, the IDP system flow table maintains sessions belonging to the previously installed policy as well as the newly installed policy. The IDP engine continues to use the previously installed security policy to inspect previous sessions; and use the newly installed security policy to inspect new sessions. When the previously installed policy is no longer in use, it is unloaded and all traffic is inspected using the newly installed policy. For IDP8200 and IDP250, the IDP system can maintain flows for as many as two security policies. For IDP1100, IDP800, and IDP600, the IDP system can maintain flows for as many as four security policies.

    Log flow related errors–Enables logging for flow-related errors. This setting is not enabled by default.

    IP Actions

    Reset block table with policy load/unload–Resets the IP action block table each time a security policy is loaded or unloaded. This table maintains IP addresses for connections to which the IP action block has been applied. This setting is enabled by default.

    Intrusion Detection

    Buffer flow emulator–Turns on buffer overflow emulation.

    Attack matches per packet when Signature Hierarchy take effect–Sets the threshold for activating signature hierarchy calculations.

    Common attack can be composed of several known vulnerabilities. Each vulnerability has an attack object, and each would generate a separate log entry if the signature hierarchy feature were disabled.

    For example, for a policy with critical, high, medium, low, and info attacks and logging enabled, a single detection of HTTP:IIS:COMMAND-EXEC attack generates the following logs:

    • HTTP:IIS:COMMAND-EXEC [wininnt/system32/cmd.exe] (medium)
    • HTTP:WIN-CMD:WIN-CMD-EXE [cmd.exe] (medium)
    • HTTP:REQERR:REQ-MALFORMED-URL [anomaly for %xx] (medium)
    • HTTP:DIR:TRAVERSE-DIRECTORY (anomaly for ../) (medium)
    • HTTP:REQERR:REQ-LONG-UTF8CODE (anomaly for oe) (medium)
    • TCP:AUDIT:BAD-SYN-NONSYN (info)
    • HTTP:AUDIT:URL (info)
    • TCP:AUDIT:BAD-SYN-NONSYN (info)

    If the number of attacks in a packet exceeds the set value, the IDP engine examines its signature hierarchy to see if some attacks are actually part of a larger attack. If so, only the parent attack is displayed in the logs. In this example, if the value was set to 9 or lower, only a log for HTTP:IIS:COMMAND-EXEC would be generated.

    An attack in the signature hierarchy may have multiple parents or multiple children. If a child attack is part of two discovered parents, the IDP system takes action based on the parent with the highest severity.

    Specify 0 to disable.

    Run-Time Parameters

    RPC program timeout–Controls how long the IDP system maintains information about an RPC server. The IDP engine performs a stateful inspection of all RPC messages on port 111, then builds a table of program-to-port mapping for each RPC server that it finds on the network. The default is 300 seconds.

    RPC transaction timeout–Controls RPC timeout. All RPC messages (port 111) are based on a request/response protocol. When the IDP engine receives a request, it adds the request to a request table. If the IDP engine does not receive an RPC reply in the specified timeout, the RPC entry times out. The default is 5 seconds.

    Exempt management server flows–Exempts NSM connections from processing. This setting is enabled by default.

    Fragment timeout –Controls when the IDP system drops an incomplete fragment chain because one or more fragments did not arrive. If the IDP system does not receive missing fragments in the specified timeout, it generates a log (FRAGMENT_TIME_EXCEEDED). The default is 5 seconds.

    Minimum fragment size –Drops all IP fragments less than the specified size (bytes). The default is 0 bytes (no fragments are dropped).

    Maximum fragments per IP datagram–Controls size of the IP fragment chain. An IP datagram can be broken into many fragments which, when assembled, should not exceed 64 K. IP fragment processing is CPU and memory intensive. If the number of fragments in a chain exceeds this number, the IDP system drops the entire fragment chain. The default is 65,535 bytes.

    Maximum concurrent fragments in queue–Controls the maximum number of reassembled fragment chains. The IDP engine can perform pseudo reassembly of IP fragment chains. Once this limit is reached, the IDP system drops all new IP fragment chains and generates a log (TOO_MANY_FRAGMENTS). If your network produces a large number of IP fragments, such as those produced by Network File System (NFS), increase the number of fragments per chain to eliminate unnecessary logs. The default is 16 fragments.

    Log fragment related errors–Logs fragment related errors. This setting is not enabled by default.

    Enable GRE decapsulation support–Enables decapsulation and inspection of generic routing encapsulation (GRE) traffic. IDP Series devices support inspection of IP-in-GRE or PPP-in-GRE encapsulated traffic. GRE decapsulation is not enabled by default.

    Enable GTP decapsulation support–Enables decapsulation and inspection of GPRS Tunneling Protocol (GTP) traffic. IDP Series devices support decapsulation of UDP GTPv0 and GTPv1 only. GTP decapsulation is not enabled by default.

    Enable SSL decryption support–Enables SSL decryption and inspection. SSL decryption is not enabled by default.

    SYN-Protector

    Timeout for half-open SYN protected flows–Determines the number of seconds before the IDP system closes a half-open SYN protected flow when the SYN Protector rulebase is in passive mode. The default is 5 seconds.

    A half-open SYN flow occurs during the TCP three-way handshake, after the client has sent a SYN/ACK packet to the server. The half-open connection is now in the SYN_RECV state, and is placed into a connection queue while it waits for an ACK or RST packet. The connection remains in the queue until the connection-establishment timeout expires and the half-open connection is deleted.

    Lower SYNs-per-second threshold below which SYN Protector will be deactivated / Upper SYNs-per-second threshold above which SYN Protector will be activated–Determines when the SYN Protector rulebase is activated and deactivated.

    In relay mode, the SYN Protector rulebase is activated when the number of SYN packets per second is greater than the lower threshold. Relay mode does not use the upper threshold.

    In passive mode, the SYN Protector rulebase is activated when the number of SYN packets per second is greater than the sum of the lower and upper thresholds and deactivated when the number of SYNs-per-second falls below the lower threshold. The defaults are 1000 and 20. Using the defaults, the SYN Protector is activated when SYNs-per-second reach 1020 and deactivated when SYNs-per-second fall below 1000.

    TCP Reassembler

    Ignore packets in TCP flows where a SYN hasn't been seen–Ignores the absence of SYN flags in TCP flows. This is enabled by default.

    Timeout for connected, idle TCP flows–Controls the number of seconds that the IDP system maintains connected (but idle) TCP flows. The default is 3600 seconds.

    Timeout for closed TCP flows–Controls the number of seconds that closed TCP flows are maintained in the flow table.

    When the IDP engine sees a RST packet or FIN/FIN+ACK packets on a TCP connection, it closes the connection flows. It drops any further packets for the closed flow, but does not delete existing, closed flows from the flow table.

    The default is 5 seconds.

    Timeout for CLOSE-WAIT/LAST-ACK TCP flows–Controls the number of seconds a connection is maintained while waiting for the final ACK.

    When a TCP connection closes, the IDP engine sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK.

    To improve performance during heavy loads, decrease the timeout. Decreasing the timeout reduces the size of the flow table by closing connections sooner. The default is 120 seconds.

    Close flows as soon as a FIN is seen–Enables the IDP system to quickly close a TCP connection after receiving a FIN packet.

    When a TCP connection closes, the IDP engine sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK.

    When enabled, the IDP system maintains a connection waiting for a final ACK for 5 seconds, then closes the connection. This is enabled by default and recommended.

    Traffic Signatures

    Byte threshold for suspicious flows–Specifies a threshold for what the IDP engine considers a small packet.

    A scan typically uses small packets to access its targets. You can exclude suspicious flows that contain large packets to prevent false positives when detecting scans.

    If the IDP engine sees more than this maximum, it does not consider the connection to be a scan. The default is 20 bytes.

    Reporting frequency when scan is in progress –Controls how often the IDP system generates "in progress" logs for a stealthy scan.

    Attackers can perform blatant scans very quickly, mapping your network in just a few seconds, but these scans typically trigger intrustion detection systems and leave evidence behind. Stealthy scans are performed over much longer time periods, lasting hours, days, or even weeks, making them more difficult to detect. The default is 30 seconds.

    The number of IP tracked for session rate –Controls the number of IP addresses tracked by the session rate counter. If the IDP engine sees more addresses than the maximum, it does not track the additional IP addresses. The default is 32,767 IP addresses.

    Modifying Load-Time Parameters

    Load-time parameters include options for tuning performance. In general, you modify these settings only if you encounter performance issues.

    Figure 4 shows the Load Time Parameters tab, where you can configure these settings.

    Figure 4: NSM Device Configuration Editor: Load Time Parameters Tab

    NSM Device Configuration Editor:
Load Time Parameters Tab

    To modify parameters:

    1. In NSM Device Manager, double-click the IDP Series device you want to modify to display the device configuration editor.
    2. Click Sensor Settings.
    3. Click the Load Time Parameters tab.
    4. Configure parameters as described in Table 4.
    5. Click Apply.
    6. Click OK.

    Table 4: IDP Series Device Configuration: Load Time Parameters

    Setting

    Guideline

    Flow table size

    For improved performance, modify the flow table size to limit the size of the connection table. This setting should reflect the maximum number of concurrent flows you expect to have at any one time. A TCP connection has about two flows per session, and a UDP connection has about three flows per session. The default setting is 100,000 concurrent flows. If you change this value, you have to restart the IDP Series device.

    Enable application identification

    The application identification feature is used to detect the session application regardless of port. We recommend you disable this feature only when troubleshooting.

    Maximum number of Application Identification sessions

    Specifies the maximum number of sessions where application identification is in use. The default is 50,000. Valid values are 0 - 200,000. We recommend you tune this setting only if you encounter issues.

    Enable log suppression

    Log suppression reduces the number of logs displayed in the Log Viewer by displaying a single record for multiple occurrences of the same event.

    Include destination IPs while performing log suppression

    When log suppression is enabled, multiple occurrences of events with the same source IP, Service, and matching attack object generate a single log record with a count of occurrences. If you enable this option, log suppression combines log records for events with the same destination IP.

    Number of log occurrences after which log suppression begins

    The number of identical log records received before suppression starts. The default is 1 (meaning log suppression begins with the first redundancy).

    Maximum number of logs that log suppression can operate on

    When log suppression is enabled, the IDP system must cache log records so that it can identify when multiple occurrences of the same event occur. This number represents the number of log records cached for this purpose. The default is 16,384 log records.

    Time (seconds) after which suppressed logs will be reported

    When log suppression is enabled, the IDP system maintains a count of multiple occurrences of the same event. This number represents the number of seconds that pass before reporting a single log entry that contains the count of occurrences. The default is 10 seconds.

    Note: If the reporting interval is set too high, log suppression can negatively impact performance.

    Modifying Protocol Anomaly Thresholds

    The protocol anomaly detection methods identify traffic that deviates from RFC specifications. In general, you modify protocol thresholds and configuration settings only if you encounter false positives or performance issues.

    Figure 5 shows the Protocol Thresholds and Configuration tab, where you can configure these settings.

    Figure 5: NSM Device Configuration Editor: Protocol Thresholds and Configuration Tab

    NSM Device Configuration Editor:
Protocol Thresholds and Configuration Tab

    To tune protocol anomaly detection thresholds:

    1. In NSM Device Manager, double-click the IDP Series device you want to modify to display the device configuration editor.
    2. Click Sensor Settings.
    3. Click the Protocol Thresholds and Configuration tab.
    4. Complete the configuration for protocol thresholds as described in Table 5.
    5. Click Apply.
    6. Click OK.

    Table 5: IDP Series Device Configuration: Protocol Thresholds and Configuration Settings

    Setting

    Description

    AIM

    Maximum header length–Detects a header containing more bytes than the specified maximum. The default is 10,000 bytes.

    Maximum type-length-value length–Detects an AIM/ICQ type-length-value (TLV) containing more bytes than the specified maximum. A TLV is a tuple used for passing typed information to the protocol. The default is 8,000 bytes.

    Maximum inter-client-message-block length–Detects an AIM/ICQ inter-client-message-block (ICMB) containing more bytes than the specified maximum. The default is 2,000 bytes.

    Maximum filename length–Detects an AIM/ICQ filename containing more bytes than the specified maximum. The default is 10,000 bytes.

    DHCP

    Check to see if the source port of client's packets is 68–Detects DHCP traffic that originates from a port other than 68. This setting is not enabled by default.

    DNS

    Report unknown DNS parameters (high noise)–Detects and reports unknown DNS parameters.

    You must also configure an IDP rulebase rule to detect DNS anomalies. This setting is not enabled by default.

    Report unexpected DNS parameters (high noise)–Detects and reports unexpected DNS parameters. This setting is not enabled by default.

    You must also configure an IDP rulebase rule to detect DNS anomalies.

    Maximum length of a DNS UDP packet–Detects a DNS UDP packet containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum number of pointer loops for name compression–The default is 8.

    Maximum size of an NXT resource record–Detects an NXT resource record in a DNS request or response message that is larger than the specified maximum size. The default is 4,096 bytes.

    This setting tunes the DNS_BIND_NXT_OVERFLOW protocol anomaly.

    Maximum time of a DNS cache–Controls the maximum amount of time for a DNS query and reply. The default is 60 seconds.

    Maximum size of a DNS cache–Controls the maximum number of DNS queries kept to match a reply. The default is 100 queries.

    Maximum number of logs in a session–The default is 128.

    FTP

    Maximum Line length–Detects an FTP line containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum Username length–Detects an FTP username containing more bytes than the specified maximum. The default is 32 bytes.

    Maximum Password length–Detects an FTP password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Pathname length–Detects an FTP pathname containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Sitestring length–Detects an FTP site string containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum number of login failures per minute–Detects more FTP login failures in one minute than the specified maximum. The default is 4 FTP login failures per minute.

    GNUTELLA

    Maximum TTL hops–Detects a number of TTL hops that is higher than the specified maximum. The default is 8 TTL hops.

    Maximum line length–Detects, in a Gnutella connection, a line that contains more bytes than the specified maximum. The default is 2,048 bytes.

    Maximum query size–Detects a Gnutella client query that contains more bytes than the specified maximum. The default is 256 bytes.

    GOPHER

    Maximum line length–Detects, in a Gopher server-to-client connection, a line sent by a Gopher server to a client that contains more bytes than the specified maximum. The default is 512 bytes.

    Maximum hostname length–Detects, in a Gopher server-to-client connection, a hostname that contains more bytes than the specified maximum. The default is 64 bytes.

    HTTP

    Maximum Request length–Detects an HTTP request that contains more bytes than the specified maximum. The default is 8,192 bytes.

    Maximum Header length–Detects an HTTP header that contains more bytes than the specified maximum. The default is 8,192 bytes.

    Maximum Cookie length–Detects a cookie that contains more bytes than the specified maximum. The default is 8,192 bytes.

    Cookies that exceed the cookie length setting can match the HTTP: Cookie Overflow protocol anomaly and produce unnecessary log records. If you are getting too many log records for the HTTP: Cookie Overflow protocol anomaly, increase the maximum cookie length.

    Maximum Authorization length–Detects an HTTP header authorization line that contains more bytes than the specified maximum. The default is 512 bytes.

    Use this setting to tune results matching the HTTP:OVERFLOW:AUTH-OVFLW protocol anomaly.

    Maximum Content-type length–Detects an HTTP header content-type that contains more bytes than the specified maximum. The default is 512 bytes.

    Maximum User-agent length–Detects an HTTP header user-agent that contains more bytes than the specified maximum. The default is 512 bytes.

    Maximum Host length–Detects an HTTP header host that contains more bytes than the specified maximum. The default is 256 bytes.

    Maximum Referrer length–Detects an HTTP header referrer that contains more bytes than the specified maximum. The default is 8,192 bytes.

    Use alternate ports as http service–Detects HTTP traffic on the following ports in addition to tcp/80: 7001; 8000; 8001; 8100; 8200; 8080; 8888; 9080. This setting is enabled by default.

    Note: In IDP OS Release 5.0 and later, this setting is no longer functional. The IDP engine now automatically detects HTTP traffic over any port.

    Maximum number of login failures per-minute–Detects login failures more frequent than the specified maximum. The default is 5 HTTP authentication failures per minute.

    This setting tunes the HTTP: Brute Force Login Attempt protocol anomaly.

    Maximum number of 301/403/404 or 405 errors per-minute–Detects 301/403/404/405 errors that occur more frequently than the specified maximum. The default is 16 HTTP errors per minute.

    ICMP

    Maximum Packets per second to trigger a flood–Raises a protocol anomaly if the IDP engine detects more ICMP packets than the specified maximum. The default is 250 packets per second.

    Minimum time interval (in seconds) between packets–Detects ICMP packets that have less than the specified minimum time interval between them. The default is 1 second.

    Use this setting to tune the ICMP:EXPLOIT:FLOOD protocol anomaly.

    IDENT

    Maximum requests per session–Detects more IDENT (identification protocol) requests than the specified maximum. The default is 1 request per session.

    This setting tunes the IDENT: Too Many Requests protocol anomaly.

    Maximum Request length–Detects an IDENT request containing more bytes than the specified maximum. The default is 15 bytes.

    This setting tunes IDENT: Request Too Long protocol anomaly.

    Maximum Reply length–Detects an IDENT reply containing more bytes than the specified maximum. The default is 128 bytes.

    This setting tunes the IDENT: Reply Too Long protocol anomaly.

    IKE

    Maximum number of payloads in an IKE message–Detects an IKE message with a number of payloads larger than the specified maximum. The default is 57 payloads.

    This setting tunes the IKE: Too Many Payloads protocol anomaly.

    IMAP

    Maximum line length–Detects an IMAP line containing more bytes than the maximum. The default is 2,048 bytes.

    Maximum Username length–Detects an IMAP username containing more bytes than the maximum. The default is 64 bytes.

    Maximum Password length–Detects an IMAP password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Mailbox length–Detects an IMAP mailbox containing more than the maximum. The default is 64 bytes.

    Maximum Reference length–Detects an IMAP reference containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Flag length–Detects an IMAP flag containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Literal length–Detects a literal with more octets than the specified maximum. In IMAP4 protocol, a string can be in one of two forms: literal and quoted. As defined in RFC 2060 4.3, a literal is a sequence of zero or more octets (including CR and LF), prefix-quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"), and CRLF. Valid range is 1 to 16,777,215. The default is 1,048,576 bytes.

    This setting tunes the IMAP: Literal Length Overflow protocol anomaly.

    Maximum number of login failures per minute–Detects a brute force protocol anomaly if the IDP engine detects more login failures than the maximum. The default is 4 IMAP login failures per minute.

    This setting tunes the IMAP: Brute Force Login Attempt protocol anomaly.

    IRC

    Maximum Password length–Detects an Internet Relay Chat (IRC) password containing more bytes than the specified maximum. The default is 16 bytes.

    Maximum Username length–Detects an IRC username containing more bytes than the specified maximum. The default is 16 bytes.

    Maximum Channel length–Detects an IRC channel name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Nickname length–Detects an IRC nickname containing more bytes than the specified maximum. The default is 16 bytes.

    LDAP

    Maximum length of integer representation in BER encoding–Detects an integer field of the LDAP BER containing more bytes than the specified maximum. The default is 4 bytes.

    Maximum number of left zeros for tag in BER encoding–Detects more left zeros in any tag in LDAP BER encoding than the specified maximum. The default is 4 left zeros.

    Maximum value of any LDAP tag in BER encoding–Detects a value for a tag that can be seen in the LDAP BER encoding that is greater than the specified maximum. LDAP tags are represented using 1 byte, with the top 3 bits reserved. The default is 31.

    Maximum number of left zeros for length in BER encoding–Detects more left zeros in any length field in LDAP BER encoding than the specified maximum. The default is 64 left zeros.

    Maximum number of search results requested by LDAP client–Detects an LDAP client request for more matching entries than the specified maximum. The default is 0 (indicating no limit).

    Maximum timelimit for search result requested by LDAP client–Detects a time limit greater than the specified maximum. The time limit is the number of seconds before a client request times out waiting for a response from the server. The default is 0 (indicating no limit).

    Maximum length of an LDAP Attribute Descriptor–Detects a length of an attribute descriptor field in an LDAP message containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum length of an LDAP Distinguished Name–Detects a length of a distinguished name field in the LDAP message containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum value of Message id in any LDAP Message –Detects a message ID greater than the specified maximum. The default is 2,147,483,647.

    Maximum length of an LDAP message–Detects an LDAP message that will be processed by the LDAP subsystem larger than the specified maximum. The default is 8,100 bytes.

    This setting tunes the LDAP: Message Too Long protocol anomaly.

    Maximum number of nested operators in an LDAP search request–Detects a number of nested levels allowed in an LDAP search request filter argument greater than the specified maximum. The default is 8 nested operators.

    Maximum Number of Login Failures Per Minute–Detects a brute force protocol anomaly if the IDP engine detects more login failures than the maximum. The default is 4 LDAP login failures per minute.

    This setting tunes the LDAP: Brute Force Login Attempt protocol anomaly.

    LPR

    Maximum Sub-command length in RECEIVE-JOB Command–Detects in a Line Printer Protocol (LPR) control file a subcommand line containing more bytes than the specified maximum. LPR is a TCP-based print server protocol used by line printer daemons (client and server) to communicate over networks. An LPR client uses the LPR protocol to send a print command to an LPR server (a line printer) at TCP/515. After the print command is received by the server, the client can issue subcommands to the server and send control and data files. Control files tell the line printer which functions to perform when printing the file; data files carry the payload. The default is 256 bytes.

    Maximum Reply length from server–Detects an LPR control filename containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Control filename length–Detects an LPR control filename containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Data filename length–Detects a data filename containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Control file size–Detects an LPR control file size greater than the specified maximum. The default is 1,024 bytes.

    Maximum Data file size–Detects an LPR data file size greater than the specified maximum. The default is 65,535 bytes.

    Maximum Banner string length–Detects an LPR banner string containing more bytes than the specified maximum. A banner string is typically the filename of the print job. The default is 32 bytes.

    Maximum E-mail length–Detects an LPR control file e-mail address containing more bytes than the specified maximum. After the file has printed, it is sent to the e-mail address specified in the control file. The default is 32 bytes.

    Maximum Symbolic link length–Detects in an LPR control file a symbolic link containing more bytes than the specified maximum. A symbolic link is a file that points to another file (entry) in a UNIX file system, but does not contain the data in the target file. When the LPR protocol receives a symbolic link command in a control file, it records the symbolic link data for the print job filename to prevent directory entry changes from reprinting the file. The default maximum is 128 bytes.

    Maximum font length–Detects in an LPR control file a font name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum filename length for format related sub commands–Detects in an LPR control file a format-related filename containing more bytes than the specified maximum. The default is 32 bytes.

    MSN

    Maximum Username length–Detects an MSN (Microsoft Instant Messaging) username containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Display name length–Detects an MSN display name containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum Group name length–Detects an MSN group name containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum User state length–Detects an MSN user state containing more bytes than the specified maximum. A user state is a three-letter code that indicates the status of the user's connection (online, offline, idle, and the like). The default is 10 bytes.

    Maximum Phone number length–Detects a phone number containing more bytes than the specified maximum. The default is 20 bytes.

    Maximum Length of IP:port–Detects an IP:port parameter containing more bytes than the specified maximum. An IP:port parameter indicates the IP address and port number of the MSN server for a switchboard session. The default is 30 bytes.

    Maximum URL length–Detects a URL containing more bytes than the specified maximum. The default is 1,024 bytes.

    MSRPC

    Maximum fragment length in MSRPC message–Detects an MSRPC (Microsoft Remote Procedure Call) message with a fragment length greater than the specified maximum. The default is 8,192.

    Maximum tower data length in endpoint mapper messages–Detects an endpoint mapper message with a tower data length greater than the specified maximum. The default is 8,192.

    Maximum number of entries in an insert message–Detects an MSRPC insert message with more entries than the specified maximum. The default is 100 entries.

    NFS

    Maximum name length–Detects an NFS packet name containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum path length–Detects an NFS packet pathname containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum buffer length for read/write–Detects an NFS read/writer buffer larger than the specified maximum. The default is 32,768 bytes.

    NTP

    Minimum time (in seconds) between two requests–Detects that the time between two client-to-server NTP requests is greater than the specified maximum. Valid values range from 64 to 1024 seconds. The default is 0 seconds (which turns the feature off).

    Maximum length for NTPv3 message–Detects an NTPv3 message containing more bytes than the specified maximum. The default is 68 bytes.

    Maximum length for NTPv4 message–Detects an NTPv4 message containing more bytes than the specified maximum. The default is 68 bytes.

    Maximum stratum value for any NTP peer–Detects a stratum value larger than the specified maximum. The default is 15 bytes.

    Maximum time since last update of Reference clock–Detects that the NTP reference clock has not been updated in more time than the specified maximum. The default is 86,400 seconds.

    Match timestamps on NTP request and response–Enables the IDP engine to perform timestamp matching on client requests and server responses. With this setting enabled, the IDP engine expects the server response original timestamp to match the client request transmit timestamp; otherwise it considers the packet a possible protocol anomaly. This setting is enabled by default.

    Maximum Authorization field length in NTP control message–Detects that the length of the Authentication field in an NTP control message is larger than the specified maximum. The default is 20 bytes.

    Maximum length of any NTP control variable–Detects that the length of the NTP control data variable name is larger than the specified maximum. The default is 128 bytes.

    Maximum length of any NTP variable value–Detects that the length of any NTP control data variable value is larger than the specified maximum. The default is 255 bytes.

    Maximum length of buffer to store between control packets–Detects that the buffer used to store NTP control messages is greater than the specified maximum. NTP control messages can be split across multiple UDP packets. The default is 255 bytes.

    Maximum time for an NTP Symmetric passive association to dissolve–Specifies the duration in seconds after which the IDP engine considers an NTP symmetric passive association as expired. A symmetric passive association between two NTP peers must be dissolved after sending one reply. The default is 900 seconds.

    POP3

    Maximum Line length–Detects a POP3 line containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Username length–Detects a POP3 username containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Password length–Detects a POP3 password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum APOP length–Detects an APOP containing more bytes than the specified maximum. The default is 100 bytes.

    Maximum message number–Detects a POP3 message number that is higher than the specified maximum. The default is 1,000,000.

    Maximum Number of Login Failures Per Minute–Raises a brute force protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 POP3 login failures per minute.

    This setting tunes the POP3: Brute Force Login Attempt protocol anomaly.

    RADIUS

    Maximum Number of Authenticated Failures Per Minute–Raises a brute force protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 RADIUS login failures per minute.

    This setting tunes the RADIUS: Brute Force protocol anomaly.

    SIP

    Max Forwards Threshold–Detects if the value in the Max-Forwards header field is greater than the specified value. The default is 70.

    SMB

    Maximum registry key length–Detects an SMB registry key containing more bytes than the specified maximum. The default is 8,192 bytes.

    Maximum Number of Login Failures Per Minute–Raises a brute force protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 SMB login failures per minute.

    This setting tunes the SMB: Brute Force Login Attempt protocol anomaly.

    SMTP

    Maximum Number of mail recipients–Detects an SMTP message containing more recipients than the specified maximum. The default is 100 recipients.

    Maximum Username length in RCPT and MAIL–Detects an SMTP message with a username containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Domain name length in RCPT and MAIL–Detects an SMTP message with a domain name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Path length in RCPT and MAIL–Detects an SMTP message with a pathname containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Command line length (before DATA)–Detects an SMTP message with a command-line entry containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum Reply line length from server (default)–Detects an SMTP message with a reply line from the server containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Text line length (after DATA)–Detects an SMTP text line containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum number of nested mime multi-part attachments–Detects more nested attachments than the specified maximum. The default is 4 nested mime multi-part attachments.

    Maximum number of base-64 bytes to decode–Detects more bytes of encoded mime data than the specified maximum. The default is 64 bytes.

    Maximum length of the value for content-type's name attribute–Detects a name attribute in the content-type header containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum length of the value for the content-disposition's filename attribute–Detects a filename attribute in the content-disposition header containing more bytes than the specified maximum. The default is 128 bytes.

    Look for email headers in message data–Controls whether the IDP engine looks for e-mail headers in the message data, which can occur when a bounced e-mail contains an attachment. This setting is not enabled by default.

    SYSLOG

    Validate RFC-3164 compliant timestamp format–Raises a protocol anomaly if the timestamp in syslog traffic is not compliant with RFC 3164. This setting is not enabled by default.

    TELNET

    Maximum Number of Login Failures Per Minute–Raises a brute force protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 Telnet login failures per minute.

    This setting tunes the Telnet:: Brute Force Login Attempt protocol anomaly.

    TFTP

    Maximum filename length–Detects a filename containing more bytes than the specified maximum. The default is 128 bytes.

    VNC

    Maximum Reason string length–Detects a VNC (Virtual Network Computing) reason string length greater than the specified maximum. A reason string contains the text that describes why a connection between a VNC server and client failed. The default is 512 bytes.

    Maximum Display name length–Detects a VNC display name containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum cut text length–Detects a VNC cut text buffer containing more bytes than the specified maximum. The default is 4,096 bytes.

    Verify message after the initial handshake–Enables the IDP engine to verify VNC connections after the initial handshake. This setting is not enabled by default.

    Maximum Number of Login Failures Per Minute–Raises a brute force protocol anomaly if the IDP engine detects more login failures than the specified maximum. The default is 4 VNC login failures per minute.

    This setting tunes the VNC: Brute Force Login Attempt protocol anomaly.

    WHOIS

    Maximum Request length–Detects a WHOIS request containing more bytes than the specified maximum. The default is 128 bytes.

    YMSG

    Maximum Message length–Detects a Yahoo! Messenger message with a header that indicates more bytes for the total message than the specified maximum. The default is 8,192 bytes.

    Maximum Username length–Detects a Yahoo! Messenger username containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Groupname length–Detects a Yahoo! Messenger group name containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Crypt length–Detects a Yahoo! Messenger encrypted password containing more bytes than the specified maximum. The default is 124 bytes.

    Maximum Instant message length–Detects a Yahoo! Messenger message containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum Activity string length–Detects a Yahoo! Messenger activity data type containing more bytes than the specified maximum. The default is 8,000 bytes.

    Maximum Challenge length–Detects a Yahoo! Messenger challenge containing more bytes than the specified maximum. The default is 15 bytes.

    Maximum Cookie length–Detects a Yahoo! Messenger cookie containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum URL length–Detects a Yahoo! Messenger Web Name containing more bytes than the specified maximum. The default is 400 bytes.

    Maximum Conference message length–Detects a Yahoo! Messenger join conference message containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum Conference name length–Detects a Yahoo! Messenger conference name containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum E-mail length–Detects a Yahoo! Messenger new e-mail alert containing an e-mail that has more bytes than the specified maximum. The default is 84 bytes.

    Maximum E-mail subject length–Detects an Yahoo Messenger e-mail subject line containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum Filename length–Detects a Yahoo! Messenger file transfer containing a filename that has more bytes than the specified maximum. The default is 1,000 bytes.

    Maximum Chatroom name length–Detects a Yahoo! Messenger chat room name containing more bytes than the specified maximum. The default is 1,024 bytes.

    Maximum Chatroom message length–Detects a Yahoo! Messenger chat room message containing more bytes than the specified maximum. The default is 2,000 bytes.

    Maximum buddy list length–Detects a Yahoo! Messenger buddy list containing more bytes than the specified maximum. The default is 8,000 bytes.

    Maximum webcam key length –Detects a Yahoo! Messenger Webcam key containing more bytes than the specified maximum. The default is 124 bytes.

     
     

    Published: 2012-03-21