Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Types of Rules, Sample Rules and Firmware

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 18

Types of Rules

Figure 3 illustrates how all matched packets are copied and transmitted by mirror ports.

Note: Mirroring is automatically enabled when the mirroring port is connected to another network device. Mirroring is not controlled through the CLI.

Figure 3 Logic Diagram of Traffic Flow in the P10 DPI

Mirror 0

Rx0						Engine
Tx0

						Forwarding

Rx1


Tx1

Mirror 1

Match Result

State Table


	Detection Engine

Config Commands		Packet Data
		Packet Data

PCI-X Module

Packet Data

Device Access

figindex 006

Types of Rules

Two types of rules can be uploaded to the FPGA:

•Static rules: Static rules are compiled to become part of the firmware and are mapped directly into logic gates. Static rules can be set to capture/not capture and block/not block individually, but they cannot be changed once they have been loaded into the FPGA.

•Dynamic rules: Dynamic rules are programmed at runtime in the DPI hardware registers and can be configured without changing the firmware. These rules (like static rules) can be disabled/enabled individually.

Sample Rules and Firmware

The P10 includes sample rules files in the pnic-compiler/rulesdirectory. You can browse these files in order to become more familiar with Snort syntax or creating rules files; you can also generate firmware from these files at your discretion.

18	Introduction

Image 18

Force10 Networks 100-00055-01 manual Types of Rules, Sample Rules and Firmware

Contents

P-Series Installation and Operation Guide VersionMay 27 Statement of Conditions Copyright 2008 Force10 NetworksTrademarks USA Federal Communications Commission FCC StatementInstallation ContentsContents PrefaceChapter Command Line InterfaceGraphical User Interface Web-based ManagementCompiling Rules Command Line ReferenceBasic Unix Commands Writing RulesAppendix F Appendix EGlossary Technical SupportObjectives PrefaceAbout this Guide AudienceAdditional Resources Information SymbolsRelated Documents P-Series Release NotesInstallation ChapterSystem Specifications Physical ConnectionsPB-10GE-2P Step Task Security Check BootingConfiguration Upgrading Softwarecd upgradedirectory mkdir ~/upgradedirectoryfilename ~/upgradedirectory scp username@serverabsolutepathcd upgradedirectory/firmware Commandcd upgradedirectory/pnic-compiler gmake installChapter Returning to the Default ConfigurationGetting Started To begin inspecting and filtering traffic you mustGetting Started Introduction Hardware Architecture OverviewChapter Types of Rules Sample Rules and FirmwareRule Management Deploying the P-SeriesFirewall Deployment” on page 10-Gigabit Inline DeploymentFail-safe Deployment Optical Bypass 10-GigabitP1P0 Highly-available DeploymentPassive Deployment 10-GigabitNetwork Tap 10-Gigabit 10-Gigabit Capturing Matched TrafficNetwork Switch with SPAN port P-Series P10Capturing to a Host CPU M1 P1 P0 M0 Mirroring to Another DevicePB-10GE-2P Traffic to MonitorChapter 4 Graphical User Interface GUI Commands Command DescriptionManaging Rules, Policies, and Firmware PNIC0 Not ActiveGUI” on page Editing Dynamic Rules with the GUIdirectory see “Editing Dynamic Rules with the GUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageManaging Capture/Forward Policies with the GUI To modify dynamic rulesTo change capture/forward policies Selecting Firmware with the GUI fn9000013fn9000014 Runtime Statistics Figure 19 Runtime Statistics for Channel 0 and 1-FPGA Loaded Graphical User InterfaceReloading Firmware Graphical User Interface Chapter 5 Web-based Management Launching the P-Series Node ManagerTo launch the P-Series Node Manager Figure 21 Lauching the P-Series Node Manager Web-based ManagementMonitoring System Performance on page Managing the P-Series using Node ManagerWeb-browser Security Certificates Managing Firmware Images on pageMonitoring System Performance Managing Firmware Images Managing the Network Interface CardFigure 25 P-Series Node Manager Card Management Panel Web-based ManagementManaging Policies Figure 26 P-Series Node Manager Policy Managment Panel Web-based ManagementSguil Server Chapter 6 Network Security MonitoringP-Series Sensors Sguil ClientInstalling the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor Hardware and Software RequirementsInstalling the Sguil Client Uninstalling the Sguil ServerWireshark Installation Files # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dllRunning the Sguil System Running the Sguil SensorWriting New Rules Running the Sguil Server Running the Sguil Client To run the Sguil Clientfn90028mp fn90027mpCLI commands are given in Command Line Reference on page Chapter 7 Command Line InterfaceCLI Commands Editing Dynamic Rules with the CLIIn Figure To enable MAC rewritingRemoving VLAN Tags Command Line Interface Rules Capacity Compiling RulesCreating Rules Files Compiling Rulespage Target DeviceMatch non-IP Traffic 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ OptionsMaximum String Segmentation Evasion Rulessee Figure 36 on page see Figure 37 on pageEnter command gmake from pnic-compiler directory P-Series Installation and Operation Guide, version Figure 36 pnic-Compiler OptionSummary of configuration Starting and Stopping the pnic-CompilerConfiguration and Generated Files which the .bit files in /usr/local/pnic/0 areto which the .mapping files in /usr/local/pnic Compiler Errors Firmware FilenamesSnort Rule Headers Writing RulesSnort Rule Syntax ActionProtocol Source AddressesPorts Direction OperatorSnort Rule Options P-Series Rule SyntaxP-Series Supported Snort Keywords Destination Address and PortDynamic KeywordStatic protocolWriting Stateful Rules Stateful Matching= si ⎬ Equation∧ si then cpiStateful Rule Examples In TableSupport for Snorts flow Keyword Handling Segmentation EvasionThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Firewall Deploying the P-Series as a FirewallChapter Verify Drop mode is Enabled Enabling the FirewallDrop mode Disabled Drop mode Enabled Figure 39 Enabling and Disabling Drop ModeAllowing Traffic through the Firewall Writing Rules for a Firewall Deployment#permit let through and do not log to the host pnic aggregate-mode-enable on page pnic apply-firmware on page Appendix A Command Line Referencepnic aggregate-mode-disable on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic updatemacvalue on page pnic vlan-remove-disable on page pnic aggregate-mode-disablepnic temp-mem-disable on page pnic temp-mem-enable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic aggregate-mode-enable pnic apply-firmwarepnic show-firmwares Parameters Command History ExampleCommands Display the available firmwareEnable the capturing of packets via direct memory access pnic capture-offpnic capture-on Syntax Parameters Command History ExampleSyntax Parameters Command History Example pnic cardstatusCommands Commandspnic default-drop-disable pnic compilerulespnic diag pnic default-drop-enableTemporary memory is disabled while the firewall is enabled Parameters Command History ExampleParameters Command History Example Usage InformationVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-disable pnic flow-teardown-disablepnic flow-teardown-enable pnic flow-teardown-enablepnic getmachashindex value for an IP address pairsDisable MAC rewriting pnic guiEnable MAC rewriting pnic updatemacvaluepnic gui Command Example P-Series Installation and Operation Guide, versionExample pnic help pnic helpSyntax Command History Example output omittedSyntax Parameters Command History Example pnic linkdownpnic linkup CommandsCommands pnic loadconfParameters Command History Example Syntax Parameters Command HistoryAddress Corresponding Parameterpnic loadeproms number pnic loadepromspnic loadparams deprecated pnic loadparams numberAddress Corresponding Parameterpnic loadrules Command History Example Usage InformationSyntax Parameters pnic macrewrite-off pnic macrewrite-onpnic off deprecated Syntax pnic offSyntax Parameters Command History Example pnic on deprecatedUsage Information Related Commands pnic on deprecatedpnic passive-mode-disable pnic paramsCommand pnic passive-mode-enablepnic passive-mode-enable CommandsSyntax Parameters Command History Example pnic resetconfpnic restart Stop capturing and matchingEnable the network interface pnic sguil-sensor-startDisable the network interface Syntax Command History ExampleCommands Stop the Sguil sensor using the command pnic sguil-sensor-stopSyntax Parameters Command History Example pnic sguil-sensor-start -fCommands pnic sguil-sensor-stopSyntax Parameters Command History Example pnic sguil-sensor-start Start the Sguil sensorSyntax Parameters Command History Example pnic showconfpnic show-firmwares CommandsCommands pnic showtechCommand History Example Syntax Parameters Command HistoryEnable the network interface pnic startLoad the capture/block configuration Load the runtime parameters Disable the network interface using the command pnic stopCommands pnic stopEnable the network interface Syntax Parameters Command History Examplepnic temp-mem-disable pnic temp-mem-enablepnic temp-mem-disable pnic updatemacvalueUse this command with the MAC rewrite feature Enable MAC rewritingpnic vlan-remove-disable pnic vlan-remove-disablepnic vlan-remove-enable pnic vlan-remove-enableDisable the web server using the command pnic web-gui-stop pnic versionpnic web-gui-start Display the driver versionCommands Enable the web server using the command pnic web-gui-startpnic web-gui-stop CommandExample Commandspnic web-gui-start RelatedAppendix A ack number Appendix BSnort Keywords dsize number numberKeyword Description uricontent ! “datastring”Keyword Rule SyntaxAppendix B Appendix C Meta and Evasion Rules meta RulesEvasion Rules Appendix C Command Appendix D Basic Unix CommandsUnix Commands DescriptionDescription vi CommandsCommand ? textAppendix E GlossaryState SnortSPAN Port Static RulesTechnical Support Accessing iSupport ServicesAppendix F Manual PagesContacting the Technical Assistance Center Locating P-Series Serial NumbersSerial Number see Locating P-Series Serial Numbers on page Requesting a Hardware Replacement To request replacement hardware, follow these stepsTechnical Support