Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Network Honeypot Rulebase Rules (NSM Procedure)

    The Network Honeypot rulebase is a method to detect reconnaissance activities. For background on the Network Honeypot rulebase, see the IDP Series Concepts and Examples Guide.

    Figure 1 shows the Network Honeypot rulebase in the NSM security policy editor, where you can modify Network Honeypot rules. Table 1 describes the rule settings you can modify.

    Figure 1: NSM Security Policy Editor: Network Honeypot Rulebase

    Image s036707.gif

    To create Network Honeypot rulebase rules:

    1. In the NSM navigation tree, select Policy Manager > Security Policies.
    2. Select the security policy to which you want to add Network Honeypot rulebase rules.
    3. Add the Network Honeypot rulebase by clicking the + icon in the upper right region of the policy viewer and selecting Add Network Honeypot Rulebase.
    4. Add a rule by clicking the + icon within the rules viewer.
    5. Modify the property of a rule by right-clicking the table cell for the property and making your selection.

    6. Click OK to save your changes.

    Table 1: Network Honeypot Rulebase Rule Properties




    Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection.


    Sets match criteria for source, destination, and service.

    Source Address

    Sets match criteria for source IP addresses or network objects.


    Sets match criteria for the destination server and service you want to impersonate.


    Ignore–Turns off the network honeypot.

    Impersonate–Turns on the network honeypot. The IDP system sends a TCP SYN/ACK in response to TCP requests.

    IP Action

    Sets IP block, close, or notify actions.


    Sets logging and packet capture settings.

    VLAN Tag

    Sets match criteria for VLAN tags.


    Sets severity ratings.

    Install On

    Specifies target IDP Series devices for the rule. By default, IDP security policy rules can be applied to any IDP Series device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP Series devices to which the rule can be installed.


    Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule.

    Note: The IDP Series device drops MPLS traffic that matches a Network Honeypot rule. When the IDP engine processes MPLS traffic, it stores the MPLS label information. It stores separate labels for client-to-server and server-to-client communication. In the case of traffic that matches Network Honeypot rules, there is no genuine server-to-client communication, so the IDP engine does not have server-to-client MPLS label information. Therefore, the impersonation operation cannot be supported.

    Published: 2011-02-08