Documentation Search
Related Documentation
Configuring Network Honeypot Rulebase Rules (NSM Procedure)
The Network Honeypot rulebase is a method to detect reconnaissance activities. For background on the Network Honeypot rulebase, see the IDP Series Concepts and Examples Guide.
Figure 1 shows the Network Honeypot rulebase in the NSM security policy editor, where you can modify Network Honeypot rules. Table 1 describes the rule settings you can modify.
Figure 1: NSM Security Policy Editor: Network Honeypot Rulebase
To create Network Honeypot rulebase rules:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy to which you want to add Network Honeypot rulebase rules.
- Add the Network Honeypot rulebase by clicking the + icon in the upper right region of the policy viewer and selecting Add Network Honeypot Rulebase.
- Add a rule by clicking the + icon within the rules viewer.
- Modify the property of a rule by right-clicking the table cell for the property and making your selection.
- Click OK to save your changes.
Table 1: Network Honeypot Rulebase Rule Properties
Setting | Function |
|---|---|
No. | Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection. |
Match | Sets match criteria for source, destination, and service. |
Source Address | Sets match criteria for source IP addresses or network objects. |
Impersonate | Sets match criteria for the destination server and service you want to impersonate. |
Operation | Ignore–Turns off the network honeypot. |
Impersonate–Turns on the network honeypot. The IDP system sends a TCP SYN/ACK in response to TCP requests. | |
IP Action | Sets IP block, close, or notify actions. |
Notification | Sets logging and packet capture settings. |
VLAN Tag | Sets match criteria for VLAN tags. |
Severity | Sets severity ratings. |
Install On | Specifies target IDP Series devices for the rule. By default, IDP security policy rules can be applied to any IDP Series device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP Series devices to which the rule can be installed. |
Comments | Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule. |
 | Note: The IDP Series device drops MPLS traffic that matches a Network Honeypot rule. When the IDP engine processes MPLS traffic, it stores the MPLS label information. It stores separate labels for client-to-server and server-to-client communication. In the case of traffic that matches Network Honeypot rules, there is no genuine server-to-client communication, so the IDP engine does not have server-to-client MPLS label information. Therefore, the impersonation operation cannot be supported. |
