Appendix C Meta and Evasion Rules

The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Table 29 and Table 30.

Table 29 meta Rules for Channel 0 and Channel 1

meta Rules

alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;) alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)

alert tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2; C:32;)

alert udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64; R:2; C:64;)

alert tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;) alert tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;) alert tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;) alert tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;) alert tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)

Table 30 Evasion Rules for Channel 0 and Channel 1

Evasion Rules

alert tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)

alert tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 10 = state 1"; dsize: 0 <> 20; S:4; R:1; C:8;)

alert tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 10 = capture flow"; dsize: 0 <> 20; S:8; R:1; C:16;)

alert tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 10"; dsize: 0 <> 100; S:16; R:2; C:17;)

P-Series Installation and Operation Guide, version 2.3.1.2

123

Page 122 Page 124
Page 123
Image 123
Force10 Networks 100-00055-01 manual Meta Rules for Channel 0 and Channel, Evasion Rules
Page 122 Page 124
Top Page Image Contents