Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Traffic Anomalies Rulebase Rules (NSM Procedure)

    The Traffic Anomalies rulebase employs a traffic flow analysis method to detect attacks that occur over multiple connections and sessions (such as scans).

    Figure 1 shows the Traffic Anomalies rulebase in the NSM security policy editor, where you can modify Traffic Anomalies rules. Table 1 describes the rule settings you can configure.

    Figure 1: NSM Security Policy Editor: Traffic Anomalies Rulebase

    Image s036706.gif

    To create Traffic Anomalies rulebase rules:

    1. In the NSM navigation tree, select Policy Manager > Security Policies.
    2. Select the security policy to which you want to add Traffic Anomalies rulebase rules.
    3. Add the Traffic Anomalies rulebase by clicking the + icon in the upper right region of the policy viewer and selecting Add Traffic Anomalies Rulebase.
    4. Add a rule by clicking the + icon within the rules viewer.
    5. Modify the setting by right-clicking the table cell for the setting and making your selection.
    6. Click OK to save your changes.

    Table 1: Traffic Anomalies Rulebase Rule Properties

    Setting

    Function

    No.

    Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection.

    Match

    Sets match criteria for source, destination, and service.

    Traffic Anomalies

    Ignore–Turns off traffic anomaly detection for traffic that matches the rule.

    Detect–Turns on detection for traffic that matches the rule and displays the View Detect Options dialog box where you can set detection settings.

    Table 2 describes the Traffic Anomalies rulebase detection settings that you can set in the View Detection Options dialog box.

    IP Action

    Sets IP block, close connection, or notify settings.

    Notification

    Sets logging settings.

    Note: Packet capture is not available for Traffic Anomalies rulebase rules.

    VLAN Tag

    Sets match criteria for VLAN tags.

    Severity

    Sets severity ratings.

    Install On

    Specifies target IDP Series devices for the rule. By default, IDP security policy rules can be applied to any IDP Series device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP Series devices to which the rule can be installed.

    Comments

    Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule.

    Table 2 describes Traffic Anomalies rulebase detection settings.

    Table 2: Traffic Anomalies Rulebase Detection Settings

    Setting

    Function

    TCP scans, UDP Port Scans

    Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

    The default port count is 20. The default time threshold is 120 seconds. The rule is matched if the same source scans 20 TCP ports on your internal network within 120 seconds or if the same source scans 20 UDP ports on your internal network within 120 seconds.

    Distributed Port Scan

    A distributed port scan is an attack that uses multiple source IP addresses to scan ports.

    Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

    The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if 50 IP addresses attempt to scan ports on your internal network within 120 seconds.

    ICMP Sweep

    An ICMP sweep is an attack where a single source IP pings multiple IP addresses.

    Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

    The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if the same source IP attempts to ping 50 IP addresses within 120 seconds.

    Network Scan

    A network scan is an attack where a single source IP scans multiple IP addresses

    Sets a port count (number of ports scanned) and the time threshold (the time period that ports are counted) in seconds.

    The default IP count is 50. The default time threshold is 120 seconds. The rule is matched if the same source IP attempts to scan 50 IP addresses within 120 seconds.

    Session Limit

    Sets a threshold number of sessions allowed from a single host within a second. The default is 100 sessions.

    For example, assume your internal network typically has low volume traffic. To detect a sudden increase in traffic from a specific host (which might indicate a worm), configure a rule that matches traffic over your internal network and configure a limit of 200. To block traffic that exceeds the session limit, set the rule IP Action to IP Block and set Blocking Options to Source, Protocol.


    Published: 2011-02-08