Configuring Protocol Handling (NSM Procedure)

The protocol anomaly detection methods identify traffic that deviates from RFC specifications. In general, you modify protocol thresholds and configuration settings only if you encounter false positives or performance issues.

To tune protocol anomaly detection thresholds:

  1. In NSM Device Manager, double-click the IDP device that you want to modify. The device configuration editor appears.
  2. Click Sensor Settings.
  3. Click the Protocol Thresholds and Configuration tab.
  4. Configure the protocol thresholds using Table 54.
  5. Click Apply.
  6. Click OK.

    Table 54: IDP Device Configuration: Protocol Thresholds and Configuration Settings

    Setting

    Description

    AIM

    Maximum header length–Raises a protocol anomaly if IDP detects a header containing more bytes than the specified maximum. The default is 10,000 bytes.

    Maximum type-length-value length–Raises a protocol anomaly if IDP detects an AIM/ICQ type-length-value (TLV) containing more bytes than the specified maximum. A TLV is a tuple used for passing typed information to the protocol. The default is 8000 bytes.

    Maximum inter-client-message-block length–Raises a protocol anomaly if IDP detects an AIM/ICQ inter-client-message-block (ICMB) containing more bytes than the specified maximum. The default is 2000 bytes.

    Maximum filename length–Raises a protocol anomaly if IDP detects an AIM/ICQ file name containing more bytes than the specified maximum. The default is 10,000 bytes.

    DHCP

    Check to see if the source port of client's packets is 68—Raises a protocol anomaly if IDP detects DHCP traffic that originates from a port other than 68. This setting is not enabled by default.

    DNS

    Report unknown DNS parameters (high noise)–Detects and reports unknown DNS parameters.

    You must also configure an IDP rulebase rule to detect DNS anomalies. This setting is not enabled by default.

    Report unexpected DNS parameters (high noise) –Detects and reports unexpected DNS parameters. This setting is not enabled by default.

    You must also configure an IDP rulebase rule to detect DNS anomalies.

    Maximum length of a DNS UDP packet –Raises a protocol anomaly if IDP detects a DNS UDP packet containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum size of a NXT resource record –Raises a protocol anomaly if IDP detects an NXT resource record in a DNS request or response message of a greater size. The default is 4096 bytes.

    This setting tunes the following protocol anomaly attack object: DNS_BIND_NXT_OVERFLOW (key is DNS:OVERFLOW:NXT-OVERFLOW).

    Maximum time of a dns cache –Controls the maximum amount of time for a DNS query and reply. The default is 60 seconds.

    Maximum number of logs in a session –Controls the maximum number of DNS queries kept to match a reply. The default is 1000 queries.

    FTP

    Maximum Line length–Raises a protocol anomaly if IDP detects an FTP username containing more bytes than the specified maximum. The default is 32 bytes.

    Maximum Username length–Raises a protocol anomaly if IDP detects an FTP password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Password length –Raises a protocol anomaly if IDP detects an FTP pathname containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Pathname length –Raises a protocol anomaly if IDP detects an FTP pathname containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Sitestring length –Raises a protocol anomaly if IDP detects an FTP sitestring containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum number of login failures per-minute–Raises a protocol anomaly if IDP detects more FTP login failures in one minute than the specified maximum. The default is 4 FTP login failures per minute.

    GNUTELLA

    Maximum TTL hops–Raises a protocol anomaly if IDP detects a number of TTL hops that is higher than the specified maximum. The default is 8 TTL hopes.

    Maximum Line length–Raises a protocol anomaly if IDP detects, in a Gnutella connection, a line that contains more bytes than the specified maximum. The default is 2048 bytes.

    Maximum Query size–Raises a protocol anomaly if IDP detects a Gnutella client query that contains more bytes than the specified maximum. The default is 256 bytes.

    GOPHER

    Maximum line length–Raises a protocol anomaly if IDP detects, in a Gopher server-to-client connection, a line sent by a Gopher server to a client that contains more bytes than the specified maximum. The default is 512 bytes.

    Maximum hostname length–Raises a protocol anomaly if IDP detects, in a Gopher server-to- client connection, a hostname that contains more bytes than the specified maximum. The default is 64 bytes.

    HTTP

    Maximum Request length–Raises a protocol anomaly if IDP detects an HTTP request that contains more bytes than the specified maximum. The default is 8192 bytes.

    Maximum Header length–Raises a protocol anomaly if IDP detects an HTTP header that contains more bytes than the specified maximum. The default is 8192 bytes.

    Maximum Cookie length –Raises a protocol anomaly if IDP detects a cookie that contains more bytes than the specified maximum. The default is 8192 bytes.

    Cookies that exceed the cookie length setting can match the protocol anomaly ”r;HTTP-HEADER-OVERFLOW” and produce unnecessary log records. If you are getting too many log records for the HTTP-HEADER-OVERFLOW protocol anomaly, increase the maximum cookie length.

    Maximum Authorization length–Raises a protocol anomaly if IDP detects an HTTP header authorization line that contains more bytes than the specified maximum. The default is 512 bytes.

    Use this setting to tune results from the Auth Overflow attack object (key is HTTP:OVERFLOW:AUTH-OVFLW).

    Maximum Content-type length–Raises a protocol anomaly if IDP detects an HTTP header content-type that contains more bytes than the specified maximum. The default is 512 bytes.

    Maximum User-agent length–Raises a protocol anomaly if IDP detects an HTTP header user-agent that contains more bytes than the specified maximum. The default is 256 bytes.

    Maximum Host length–Raises a protocol anomaly if IDP detects an HTTP header host that contains more bytes than the specified maximum. The default is 64 bytes.

    Maximum Referrer length –Raises a protocol anomaly if IDP detects an HTTP header referrer that contains more bytes than the specified maximum. The default is 8192 bytes.

    Use alternate ports as http service–If selected, the security module watches for HTTP traffic on the following ports in addition to tcp/80: 7001; 8000; 8001; 8100; 8200; 8080; 8888; 9080. This setting is enabled by default.

    Maximum number of login failures per-minute–Raises a protocol anomaly if IDP detects, between a unique pair of hosts, more login failures than the specified maximum. The default is 4 HTTP authentication failures per minute.

    This setting tunes the BRUTE_FORCE attack object.

    Maximum number of 301/403/404 or 405 errors per-minute–Raises a protocol anomaly if IDP detects, between a unique pair of hosts, more 301/403/404/405 errors than the specified maximum. The default is 16 HTTP errors per minute.

    ICMP

    Maximum Packets per second to trigger a flood–Raises a protocol anomaly if IDP detects more ICMP packets than the specified maximum. The default is 250 packets per second.

    Minimum time interval (in seconds) between packets–Raises a protocol anomaly if IDP detects ICMP packets that have less than the specified minimum time interval between them. The default is 1 second.

    Use this setting to tune the Flood attack object (ICMP:EXPLOIT:FLOOD).

    IDENT

    Maximum requests per session–Raises a protocol anomaly if IDP detects more IDENT (identification protocol) requests than the specified maximum. The default is 1 request per session.

    This setting tunes the Too Many Requests attack object (key is IDENT:OVERFLOW:REQUEST-NUM).

    Maximum Request length–Raises a protocol anomaly if IDP detects an IDENT request containing more bytes than the specified maximum. The default is 15 bytes.

    This setting tunes the Request Too Long attack object (key is IDENT:OVERFLOW:REQUEST).

    Maximum Reply length–Raises a protocol anomaly if IDP detects an IDENT reply containing more bytes than the specified maximum. The default is 128 bytes.

    This setting tunes the Reply Too Long attack object (key is IDENT:OVERFLOW:REPLY).

    IKE

    Maximum number of payloads in an IKE message–Raises a protocol anomaly if IDP detects an IKE message with a higher number of payloads. The default is 57 payloads.

    This setting tunes detection with the TOO-MANY-PAYLOADS attack object (key is IKE:MALFORMED:2MANY-PAYLOAD).

    IMAP

    Maximum Line length–Raises a protocol anomaly if IDP detects an IMAP line containing more bytes than the maximum. The default is 2048 bytes.

    Maximum Username length–Raises a protocol anomaly if IDP detects an IMAP username containing more bytes than the maximum. The default is 64 bytes.

    Maximum Password length–Raises a protocol anomaly if IDP detects an IMAP password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Mailbox length–Raises a protocol anomaly if IDP detects an IMAP mailbox containing more than the maximum. The default is 64 bytes.

    Maximum Reference length –Raises a protocol anomaly if IDP detects an IMAP reference containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Flag length–Raises a protocol anomaly if IDP detects an IMAP flag containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Literal length–Raises a protocol anomaly if IDP detects a literal with more octets than the specified maximum. In IMAP4 protocol, a string can be in one of two forms: literal and quoted. As defined in RFC 2060 4.3, a literal is a sequence of zero or more octets (including CR and LF), prefix-quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"), and CRLF. Valid range is 1 to 1,67,77,215. The default is 65,535 bytes.

    This setting tunes detection with the imap_literal_length_overflow attack object (key is IMAP:OVERFLOW:LIT_LENGTH_OFLOW).

    Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 IMAP login failures per minute.

    IRC

    Maximum Password length –Raises a protocol anomaly if IDP detects an Internet Relay Chat (IRC) password containing more bytes than the specified maximum. The default is 16 bytes.

    Maximum Username length–Raises a protocol anomaly if IDP detects an IRC username containing more bytes than the specified maximum. The default is 16 bytes.

    Maximum Channel length–Raises a protocol anomaly if IDP detects an IRC channel name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Nickname length–Raises a protocol anomaly if IDP detects an IRC nickname containing more bytes than the specified maximum. The default is 16 bytes.

    LDAP

    Maximum length of Integer representation in BER encoding–Raises a protocol anomaly if IDP detects an integer field of the LDAP BER containing more bytes than the specified maximum. The default is 4 bytes.

    Maximum number of left zeros for tag in BER encoding–Raises a protocol anomaly if IDP detects more left zeros in any tag in LDAP BER encoding than the specified maximum. The default is 4 left zeros.

    Maximum value of any LDAP tag in BER encoding–Raises a protocol anomaly if IDP detects a value for a tag that can be seen in the LDAP BER encoding that is greater than the specified maximum. LDAP tags are represented using 1 byte, with the top 3 bits reserved. The default is 31.

    Maximum number of left zeros for length in BER encoding–Raises a protocol anomaly if IDP detects more left zeros in any length field in LDAP BER encoding than the specified maximum. The default is 64 left zeros.

    Maximum number of search results requested by LDAP client–Raises a protocol anomaly if IDP detects an LDAP client request for more matching entries than the specified maximum. The default is 0 (indicating no limit).

    Maximum timelimit for search result requested by LDAP client–Raises a protocol anomaly if IDP detects a time limit greater than the specified maximum. The time limit is the number of seconds before a client request times out waiting for a response from the server. The default is 0 (indicating no limit).

    Maximum length of an LDAP Attribute Descriptor–Raises a protocol anomaly if IDP detects a length of an attribute descriptor field in an LDAP message containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum length of an LDAP Distinguished Name–Raises a protocol anomaly if IDP detects a length of a distinguished name field in the LDAP message containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum value of Message id in any LDAP Message –Raises a protocol anomaly if IDP detects a message ID greater than the specified maximum. The default is 2,14,74,83,647.

    Maximum length of an LDAP message–Raises a protocol anomaly if IDP detects a LDAP message that will be processed by the LDAP subsystem larger than the specified maximum. The default is 8100 bytes.

    This setting tunes the MESSAGE_TOO_LONG attack object. If IDP raises this anomaly, it logs the event and skips the message.

    Maximum number of nested operators in an LDAP search request–Raises a protocol anomaly if IDP detects a number of nested levels allowed in an LDAP search request filter argument greater than the specified maximum. The default is 8 nested operators.

    Maximum Number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 LDAP login failures per minute.

    LPR

    Maximum Sub-command length in RECEIVE-JOB Command–Raises a protocol anomaly if IDP detects in an Line Printer Protocol (LPR) control file a sub command line containing more bytes than the specified maximum. LPR is a TCP-based print server protocol used by line printer daemons (client and server) to communicate over networks. An LPR client uses the LPR protocol to send a print command to an LPR server (a line printer) at TCP/515. After the print command is received by the server, the client can issue subcommands to the server and send control and data files. Control files tell the line printer which functions to perform when printing the file; data files carry the payload. The default is 256 bytes.

    Maximum Reply length from server–Raises a protocol anomaly if IDP detects an LPR control filename containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Control filename length–Raises a protocol anomaly if IDP detects an LPR control filename containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Data filename length–Raises a protocol anomaly if IDP detects a data filename containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Control file size–Raises a protocol anomaly if IDP detects an LPR control file size greater than the specified maximum. The default is 1024 bytes.

    Maximum Data file size–Raises a protocol anomaly if IDP detects an LPR data file size greater than the specified maximum. The default is 64 bytes.

    Maximum Banner string length–Raises a protocol anomaly if IDP detects an LPR banner string containing more bytes than the specified maximum. A banner string is typically the filename of the print job. The default is 32 bytes.

    Maximum E-mail length –Raises a protocol anomaly if IDP detects an LPR control file e-mail address containing more bytes than the specified maximum. After the file has printed, it is sent to the e-mail address specified in the control file. The default is 32 bytes.

    Maximum Symbolic link length –Raises a protocol anomaly if IDP detects in an LPR control file a symbolic link containing more bytes than the specified maximum. A symbolic link is a file that points to another file (entry) in a UNIX file system, but does not contain the data in the target file. When the LPR protocol receives a symbolic link command in a control file, it records the symbolic link data for the print job filename to prevent directory entry changes from reprinting the file. The default maximum is 128 bytes.

    Maximum font length –Raises a protocol anomaly if IDP detects in an LPR control file a font name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum filename length for format related sub commands–Raises a protocol anomaly if IDP detects in an LPR control file a format-related file name containing more bytes than the specified maximum. The default is 32 bytes.

    MSN

    Maximum Username length–Raises a protocol anomaly if IDP detects an MSN (Microsoft Instant Messaging) username containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Display name length–Raises a protocol anomaly if IDP detects an MSN display name containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum Group name length–Raises a protocol anomaly if IDP detects an MSN group name containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum User state length–Raises a protocol anomaly if IDP detects an MSN user state containing more bytes than the specified maximum. A user state is a three-letter code that indicates the status of the user's connection (online, offline, idle, and so on). The default is 10 bytes.

    Maximum Phone number length –Raises a protocol anomaly if IDP detects a phone number containing more bytes than the specified maximum. The default is 20 bytes.

    Maximum Length of IP:port–Raises a protocol anomaly if IDP detects an IP:port parameter containing more bytes than the specified maximum. An IP:port parameter indicates the IP address and port number of the MSN server for a switchboard session. The default is 30 bytes.

    Maximum URL length–Raises a protocol anomaly if IDP detects a URL containing more bytes than the specified maximum. The default is 1024 bytes.

    MSRPC

    Maximum fragment length in MSRPC message–Raises a protocol anomaly if IDP detects an MSRPC (Microsoft Remote Procedure Call) message with a fragment length greater than the specified maximum. The default is 8192.

    Maximum tower data length in endpoint mapper messages–Raises a protocol anomaly if IDP detects an endpoint mapper message with a tower data length greater than the specified maximum. The default is 8192.

    Maximum number of entries in an insert message–Raises a protocol anomaly if IDP detects an MSRPC insert message with more entries than the specified maximum. The default is 100 entries.

    NFS

    Maximum Name length –Raises a protocol anomaly if IDP detects an NFS packet name containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Path length–Raises a protocol anomaly if IDP detects an NFS packet pathname containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum buffer length for read/write–Raises a protocol anomaly if IDP detects an NFS read/writer buffer larger than the specified maximum. The default is 32,768 bytes.

    NTP

    Minimum time (in seconds) between two requests–Raises a protocol anomaly if IDP detects the time between two client-to-server NTP requests is greater than the specified maximum. Valid values range from 64 to 1024 seconds. The default is 0 seconds (which turns the feature off).

    Maximum length for NTPv3 message–Raises a protocol anomaly if IDP detects an NTPv3 message containing more bytes than the specified maximum. The default is 68 bytes.

    Maximum length for NTPv4 message–Raises a protocol anomaly if IDP detects an NTPv4 message containing more bytes than the specified maximum. The default is 68 bytes.

    Maximum stratum value for any NTP peer–Raises a protocol anomaly if IDP detects a stratum value larger than the specified maximum. The default is 15 bytes.

    Maximum time since last update of Reference clock–Raises a protocol anomaly if IDP detects that the NTP reference clock has not been updated in more time than the specified maximum. The default is 86,400 seconds.

    Match timestamps on NTP request and response–Enables IDP to perform timestamp matching on client requests and server responses. With this setting enabled, IDP expects the server response original timestamp to match the client request transmit timestamp; otherwise IDP considers the packet a possible protocol anomaly. This setting is enabled by default.

    Maximum Authorization field length in NTP control message–Raises a protocol anomaly if IDP detects that the length of the Authentication fields in an NTP control message is larger than the specified maximum. The default is 20 bytes.

    Maximum length of any NTP control variable–Raises a protocol anomaly if IDP detects that the length of NTP control data variable name is larger than the specified maximum. The default is 128 bytes.

    Maximum length of any NTP variable value–Raises a protocol anomaly if IDP detects that the length of any NTP control data variable value is larger than the specified maximum. The default is 255 bytes.

    Maximum length of buffer to store between control packets–NTP control messages can be split across multiple UDP packets. This setting is the maximum number of characters that IDP stores in memory to ensure continuity from one packet to the other. The default is 255 bytes.

    Maximum time for an NTP Symmetric passive association to dissolve–A symmetric passive association between two NTP peers must be dissolved after sending one reply. This setting is the time in seconds after which IDP considers such an association as expired.The default is 900 seconds.

    POP3

    Maximum Line length–Raises a protocol anomaly if IDP detects a POP3 line containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Username length–Raises a protocol anomaly if IDP detects a POP3 username containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Password length–Raises a protocol anomaly if IDP detects a POP3 password containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum APOP length –Raises a protocol anomaly if IDP detects an APOP containing more bytes than the specified maximum. The default is 100 bytes.

    Maximum message number–Raises a protocol anomaly if IDP detects a POP3 message number that is higher than the specified maximum. The default is 10,00,000.

    Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 POP3 login failures per minute.

    RADIUS

    Maximum number of authenticated failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 RADIUS login failures per minute.

    SIP

    Max-Forwards threshold–Raises a protocol anomaly if IDP detects maximum number of thresholds.

    SMB

    Maximum registry key length–Raises a protocol anomaly if IDP detects an SMB registry key containing more bytes than the specified maximum. The default is 8192 bytes.

    Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 SMB login failures per minute.

    SMTP

    Maximum Number of mail recipients–Raises a protocol anomaly if IDP detects an SMTP message containing more recipients than the specified maximum. The default is 100 recipients.

    Maximum Username length in RCPT and MAIL–Raises a protocol anomaly if IDP detects an SMTP message with a username containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Domain name length in RCPT and MAIL–Raises a protocol anomaly if IDP detects an SMTP message with a domain name containing more bytes than the specified maximum. The default is 64 bytes.

    Maximum Path length in RCPT and MAIL–Raises a protocol anomaly if IDP detects an SMTP message with a pathname containing more bytes than the specified maximum. The default is 256 bytes.

    Maximum Command line length (before DATA)–Raises a protocol anomaly if IDP detects an SMTP message with a command-line entry containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum Reply line length from server (default)–Raises a protocol anomaly if IDP detects an SMTP message with a reply line from the server containing more bytes than the specified maximum. The default is 512 bytes.

    Maximum Text line length (after DATA)–Raises a protocol anomaly if IDP detects an SMTP text line containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum number of nested mime multi-part attachments–Raises a protocol anomaly if IDP detects more nested attachments than the specified maximum. The default is 4 nested mime multi-part attachments.

    Maximum number of base-64 bytes to decode–Raises a protocol anomaly if IDP detects more bytes of encoded mime data than the specified maximum. The default is 64 bytes.

    Maximum length of the value for content-type's name attribute–Raises a protocol anomaly if IDP detects a name attribute in the content-type header containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum length of the value for the content-disposition's filename attribute–Raises a protocol anomaly if IDP detects a filename attribute in the content-disposition header containing more bytes than the specified maximum. The default is 128 bytes.

    Look for email headers in message data–Controls whether IDP looks for e-mail headers in the message data, which can occur when a bounced email contains an attachment. This setting is not enabled by default.

    SYSLOG

    Validate RFC-3164 compliant timestamp format–If selected, the security module checks the timestamp in syslog traffic to ensure that it is compliant with RFC 3164. If the timestamp is not compliant, the security module considers the traffic a possibly anomaly. This setting is not enabled by default.

    TELNET

    Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 TELNET login failures per minute.

    TFTP

    Maximum Filename length–Raises a protocol anomaly if IDP detects a filename containing more bytes than the specified maximum. The default is 128 bytes.

    VNC

    Maximum Reason string length–Raises a protocol anomaly if IDP detects a VNC (Virtual Network Computing) reason string length greater than the specified maximum. A reason string contains the text that describes why a connection between a VNC server and client failed. The default is 512 bytes.

    Maximum Display name length–Raises a protocol anomaly if IDP detects a VNC display name containing more bytes than the specified maximum. The default is 128 bytes.

    Maximum cut text length–Raises a protocol anomaly if IDP detects a VNC cut text buffer containing more bytes than the specified maximum. The default is 4096 bytes.

    Verify message after the initial handshake–Enables the security module to verify VNC connections after the initial handshake. This setting is not enabled by default.

    Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 VNC login failures per minute.

    WHOIS

    Maximum Request length–Raises a protocol anomaly if IDP detects a WHOIS request containing more bytes than the specified maximum. The default is 128 bytes.

    YMSG

    Maximum Message length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger message with a header that indicates more bytes for the total message than the specified maximum. The default is 8192 bytes.

    Maximum Username length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger ID containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Groupname length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger group name containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum Crypt length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger encrypted password containing more bytes than the specified maximum. The default is 124 bytes.

    Maximum Instant message length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger message containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum Activity string length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger activity data type containing more bytes than the specified maximum. The default is 8000 bytes.

    Maximum Challenge length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger challenge containing more bytes than the specified maximum. The default is 15 bytes.

    Maximum Cookie length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger cookie containing more bytes than the specified maximum. The default is 84 bytes.

    Maximum URL length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger Web Name containing more bytes than the specified maximum. The default is 400 bytes.

    Maximum Conference message length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger join conference message containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum Conference name length –Raises a protocol anomaly if IDP detects a Yahoo! Messenger conference name containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum E-mail length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger new e-mail alert containing an e-mail that has more bytes than the specified maximum. The default is 84 bytes.

    Maximum E-mail subject length–Raises a protocol anomaly if IDP detects an Yahoo! Messenger subject line containing more bytes than the specified maximum. The default is 128 bytes.

    This setting tunes the Mail Subject Overflow attack object (key is CHAT:YIM:OVERFLOW:MAIL-SUBJECT).

    Maximum Filename length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger file transfer containing a filename that has more bytes than the specified maximum. The default is 1000 bytes.

    Maximum Chatroom name length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger chat room name containing more bytes than the specified maximum. The default is 1024 bytes.

    Maximum Chatroom message length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger chat room message containing more bytes than the specified maximum. The default is 2000 bytes.

    Maximum buddy list length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger buddy list containing more bytes than the specified maximum. The default is 8000 bytes.

    Maximum webcam key length –Raises a protocol anomaly if IDP detects an Yahoo! Messenger Webcam key containing more bytes than the specified maximum. The default is 124 bytes.

Related Documentation