Configuring Run-Time Parameters (NSM Procedure)

Run-time parameters include options for tuning IDP detection methods. In general, you modify these settings only if you encounter false positives or performance issues. These options control the security module operations.

To configure run-time parameters:

  1. In NSM Device Manager, double-click the IDP device for which you want to configure run-time parameters. The device configuration editor appears
  2. Click Sensor Settings.
  3. Click the Run-time Parameters tab.
  4. Configure run-time settings using Table 52.
  5. Click Apply.
  6. Click OK.

    Table 52: IDP Device Configuration: Run-Time Parameters

    Setting

    Description

    Backdoor Detection

    Minimum interval between consecutive small packets (microseconds) / Maximum interval between consecutive small packets (microseconds)–Controls the minimum and maximum intervals (in microseconds) between the arrival of two consecutive small packets in suspected interactive traffic. If the IDP device sees small packets arrive in less than the minimum or more than the maximum number of microseconds, it does not consider the traffic to be interactive.

    The defaults are 20,000 and 2,00,00,000. This means that consecutive small packets must arrive within 20,000 to 2,00,00,000 microseconds to be considered interactive.

    Byte threshold for packet sizes in a backdoor connection–Controls the maximum number of bytes a TCP packet must contain before the IDP device uses the packet for backdoor detection heuristics. The default is 20 bytes.

    Minimum number of data carrying TCP packets–Controls the minimum number of data-carrying TCP packets in suspected interactive traffic. The default is 20 packets.

    Minimum percentage of back-to-back small packets–Controls the minimum percentage of consecutive small packets in suspected interactive traffic. If the IDP device sees less than this percentage, it does not report a backdoor event. The default is 20%.

    Ratio of small packets to the total packets (percentage)–Controls the minimum percentage of small packets that the IDP device uses for backdoor detection heuristics. If the IDP device sees less than this minimum, it does not report a backdoor event. The default is 20%.

    Flow Management

    Timeout (seconds) for non-UDP/TCP/ICMP flows–Each connection through the security module typically has two non-UDP/TCP/ICMP flows, one in each direction. If IDP does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout (seconds) for UDP flows–Each connection through the security module typically has two UDP flows, one in each direction. If IDP does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout (seconds) for TCP flows–Each connection through the security module typically has two TCP flows, one in each direction. If IDP does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Timeout (seconds) for ICMP flows–Each connection through the security module typically has two ICMP flows, one in each direction. If IDP does not see flow activity for the specified timeout, it removes the idle flow from the flow table. The default is 30 seconds.

    Maximum TCP Sessions–Controls the maximum number of TCP sessions that IDP maintains. If IDP reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model.

    Maximum UDP Sessions–Controls the maximum number of UDP sessions that IDP maintains. If IDP reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model.

    Maximum ICMP Sessions–Control s the maximum number of ICMP sessions that IDP maintains. If IDP reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model.

    Maximum IP (non-UDP/TCP/ICMP) sessions–Controls the maximum number of IP sessions that IDP maintains. If IDP reaches the maximum, it drops all new sessions and writes a SESSION_LIMIT_EXCEEDED log. Defaults vary according to model.

    Reset flow table with policy load/unload– Enables IDP to reset the flow table each time you load or unload a security policy. If you do not enable this option, IDP maintains the flow table until all flows referencing that security policy go away. This setting is enabled by default. We recommend that you keep this setting enabled to preserve memory.

    Log flow related errors–Enables logging for flow-related errors. This setting is not enabled by default.

    IP Actions

    Reset block table with policy load/unload–Allows the IDP device to reset the block table. The block table maintains the state of active IP actions each time a security policy loads or unloads. This setting is enabled by default.

    Intrusion Detection

    Buffer Overflow emulator–Turns on buffer overflow emulation.

    Attack matches per packet when Signature Hierarchy (0 to disable) take effect–Sets the threshold for activating Signature Hierarchy calculations.

    Common attack can be composed of several known vulnerabilities. Each vulnerability has an attack object, and each would generate a separate log entry if the signature hierarchy feature were disabled.

    For example, for a policy with critical, high, medium, low, and info attacks and logging enabled, a single detection of HTTP:IIS:COMMAND-EXEC attack generates the following logs:

    • HTTP:IIS:COMMAND-EXEC [wininnt/system32/cmd.exe] (medium)
    • HTTP:WIN-CMD:WIN-CMD-EXE [cmd.exe] (medium)
    • HTTP:REQERR:REQ-MALFORMED-URL [anomaly for %xx] (medium)
    • HTTP:DIR:TRAVERSE-DIRECTORY (anomaly for ../) (medium)
    • HTTP:REQERR:REQ-LONG-UTF8CODE (anomaly for oe) (medium)
    • TCP:AUDIT:BAD-SYN-NONSYN (info)
    • HTTP:AUDIT:URL (info)
    • TCP:AUDIT:BAD-SYN-NONSYN (info)

    If the number of attacks in a packet exceeds the set value, then IDP examines its signature hierarchy to see if some attacks are actually part of a larger attack. If so, then only the parent attack is displayed in the logs. In this example, if the value was set to 9 or lower, then only a log for HTTP:IIS:COMMAND-EXEC would be generated.

    An attack in the signature hierarchy may have multiple parents or multiple children. If a child attack is part of two discovered parents, IDP takes action based on the parent with the highest severity.

    Specify 0 to disable.

    Run-time Parameters

    Enable Per subscriber rate limit–If you implement user-role-based rules, you can apply rate limiting to all users who belong to the specified role or to each user who belongs to the specified role. By default, rate limiting is applied to all users who belong to the specified role.

    Select the check box to change the default to per user enforcement.

    Note: User-role-based policies require integration with an IC Series UAC deployment.

    RPC program timeout (seconds)–IDP performs a stateful inspection of all RPC messages on port 111, then builds a table of program-to-port mapping for each RPC server that it finds on the network. This setting indicates how long an entry in the table is maintained. The default is 300 seconds.

    RPC transaction timeout (Seconds)–All RPC messages (port 111) are based on a request/response protocol. When the IDP receives a request, it adds the request to a request table. If IDP does not receive an RPC reply in the specified timeout, the RPC entry times out. The default is 5 seconds.

    Exempt management server flows–Exempts NSM connections from IDP processing. This setting is enabled by default.

    Fragment timeout (seconds)–Controls when IDP drops an incomplete fragment chain because one or more fragments did not arrive. If IDP does not receive missing fragments in the specified timeout, it generates a log (FRAGMENT_TIME_EXCEEDED). The default is 5 seconds.

    Minimum fragment size (bytes)–IDP drops all IP fragments less than the specified size (bytes). The default is 0 bytes (no fragments are dropped).

    Maximum fragments per IP datagram–An IP datagram can be broken into many fragments which, when assembled, should not exceed 64 K. Because IP fragment processing is CPU and memory intensive, this setting controls the size of the IP fragment chain. If the number of fragments in a chain exceeds this number, IDP drops the entire fragment chain. The default is 65,535 bytes.

    Maximum concurrent fragments in queue–IDP can perform pseudo reassembly of IP fragment chains. This setting controls the maximum number of reassembled fragment chains. Once this limit is reached, IDP drops all new IP fragment chains and generates a log (TOO_MANY_FRAGMENTS). If your network produces a large number of IP fragments, such as those produced by Network File System (NFS), increase the number of fragments per chain to eliminate unnecessary logs. The default is 16 fragments.

    Log fragment related errors–Logs fragment related errors. This setting is not enabled by default.

    Enable GRE decapsulation support–Enables IDP to decode generic routing encapsulation (GRE) tunnels where IP-in-GRE or PPP-in-GRE encapsulation is used. This allows IDP to inspect the packet in its original form. GRE decapsulation is not enabled by default.

    Enable GTP decapsulation support–Enables GPRS Tunneling Protocol (GTP) decapsulation. IDP supports decapsulation of UDP GTPv0 and GTPv1 only. GTP decapsulation is not enabled by default.

    SYN Protector

    Enable SSL decryption support–Enables SSL inspection. SSL decryption is not enabled by default.

    Timeout for half-open SYN protected flows–A half-open SYN flow occurs during the TCP three-way handshake, after the client has sent a SYN/ACK packet to the server. The half-open connection is now in the SYN_RECV state, and is placed into a connection queue while it waits for an ACK or RST packet. The connection remains in the queue until the connection-establishment timeout expires and the half-open connection is deleted. This setting controls the connection establishment timer, which determines the number of seconds that the security module maintains a half-open SYN protected flow. The default is 5 seconds.

    TCP Reassembler

    Lower SYN’s-per-second threshold below which SYN Protector will be deactivated / Upper SYN’s-per-second threshold above which SYN Protector will be activated–The SYN Protector rulebase is activated when the number of SYN packets per second is greater than the sum of the lower SYNs-per-second threshold and the upper SYNs-per-second threshold.

    The SYN Protector rulebase is deactivated when the number of SYN packets per second is less than the lower SYNs-per-second threshold.

    The defaults are 1000 and 20. The SYN Protector is activated when SYNs-per-second reach 1020 and deactivated when SYNs-per-second fall below 1000.

    Ignore packets in TCP flows where a SYN hasn't been seen (recommended)–The absence of SYN flags in TCP flows is suspect, yet still a very common occurrence. IDP can ignore packets within TCP flows that do not yet contain a SYN flag. This is enabled by default.

    Close flows as soon as a FIN is seen–Enables when a TCP connection closes, IDP sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK.

    Enables IDP to quickly close a TCP connection after receiving a FIN packet. When enabled, IDP maintains a connection waiting for a final ACK for 5 seconds, then closes the connection. This is enabled by default and recommended.

    Timeout for connected, idle TCP flows (seconds)–Controls the number of seconds that IDP maintains connected (but idle) TCP flows. The default is 3600 seconds.

    Timeout for closed TCP flows (seconds)–Controls when IDP sees a RST packet or FIN/FIN+ACK packets on a TCP connection, it closes the connection flows. IDP drops any further packets for the closed flow, but does not delete existing, closed flows from the flow table. Controls the number of seconds that closed TCP flows are maintained in the flow table. The default is 5 seconds.

    Timeout for CLOSE-WAIT/LAST-ACK TCP flows (seconds)–Controls when a TCP connection closes, IDP sees a FIN packet from each side of the connection followed by an ACK packet from each side of the connection. However, TCP does not guarantee delivery of the final ACK.

    Controls the number of seconds a connection is maintained while waiting for the final ACK.

    To improve IDP performance during heavy loads, decrease the timeout—this reduces the size of the flow table by closing connections sooner. The default is 120 seconds.

    Traffic Signatures

     

    Byte threshold for suspicious flows–Specifies a threshold for what IDP considers a small packet.

    A scan typically uses small packets to access its targets. You can exclude suspicious flows that contain large packets to prevent false positives when detecting scans.

    If IDP sees more than this maximum, it does not consider the connection to be a scan. The default is 20 bytes.

    Reporting frequency when scan is in progress –Controls how often IDP generates "in progress" logs for a stealthy scan.

    Attackers can perform blatant scans very quickly, mapping your network in just a few seconds, but these scans typically trigger IDSes and leave evidence behind. Stealthy scans are performed over much longer time periods, lasting hours, days, or even weeks, making them more difficult to detect. The default is 30 seconds.

    The number of IP tracked for session rate –Controls the number of IP addresses tracked by the session rate counter. If IDP sees more addresses than the maximum, it does not track the additional IP addresses.The default is 32,767 IP addresses.

Related Documentation