Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Segmentation Evasion Rules, see on page, Maximum String

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 57

Segmentation Evasion Rules

Table 8 Compiler Configuration Options

	Compilation Option	Description

7	Segmentation Evasion Rules	The pnic-Compiler prepends a set of fixed rules—called evasion.rules —
		located in the pnic-compiler/rulesdirectory. The rules help detect attacks
		which are using strategic TCP segmentation to avoid detection.
		It is best to include this file if Snort is being used as the front end. If not
		using Snort as the front end, these rules should not be included or they
		should be changed to accommodate other packet analysis requirements
		(see Figure 36 on page 59).
8	Maximum String	Specify the maximum number of bytes a single static rule can use for
		content matching.
		A low value truncates the match string and increases the number of rules
		that can fit into the FPGA, but this is at the expense of increased false
		positives.
		A value lower than 1024 is not recommended unless you can cope with the
		increased number of false positives through Snort or some other means
		(see Figure 37 on page 60).

9	Firmware Name	Enter a mnemonic name for the firmware you are about to create.

10	Confirmation	Enter Yes to save the configuration and compile the Snort rules into
		firmware (see Figure 37 on page 60).

P-Series Installation and Operation Guide, version 2.3.1.2

57

Image 57

Force10 Networks 100-00055-01 manual Segmentation Evasion Rules, see on page, Maximum String, Firmware Name, Confirmation

Contents

P-Series Installation and Operation Guide VersionMay 27 Trademarks Copyright 2008 Force10 NetworksStatement of Conditions USA Federal Communications Commission FCC StatementContents ContentsInstallation PrefaceGraphical User Interface Command Line InterfaceChapter Web-based ManagementBasic Unix Commands Command Line ReferenceCompiling Rules Writing RulesGlossary Appendix EAppendix F Technical SupportAbout this Guide PrefaceObjectives AudienceRelated Documents Information SymbolsAdditional Resources P-Series Release NotesChapter InstallationSystem Specifications Physical ConnectionsPB-10GE-2P Step Task Configuration BootingSecurity Check Upgrading Softwarefilename ~/upgradedirectory mkdir ~/upgradedirectorycd upgradedirectory scp username@serverabsolutepathcd upgradedirectory/pnic-compiler Commandcd upgradedirectory/firmware gmake installGetting Started Returning to the Default ConfigurationChapter To begin inspecting and filtering traffic you mustGetting Started Introduction Hardware Architecture OverviewChapter Sample Rules and Firmware Types of RulesRule Management Deploying the P-SeriesFirewall Deployment” on page Fail-safe Deployment Inline Deployment10-Gigabit Optical Bypass 10-GigabitPassive Deployment Highly-available DeploymentP1P0 10-GigabitNetwork Switch with SPAN port Capturing Matched TrafficNetwork Tap 10-Gigabit 10-Gigabit P-Series P10Capturing to a Host CPU PB-10GE-2P Mirroring to Another DeviceM1 P1 P0 M0 Traffic to MonitorChapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and Firmwaredirectory see “Editing Dynamic Rules with the GUI” on page Editing Dynamic Rules with the GUIGUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageManaging Capture/Forward Policies with the GUI To modify dynamic rulesTo change capture/forward policies Selecting Firmware with the GUI fn9000013fn9000014 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface Chapter 5 Web-based Management Launching the P-Series Node ManagerTo launch the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerWeb-browser Security Certificates Managing the P-Series using Node ManagerMonitoring System Performance on page Managing Firmware Images on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelP-Series Sensors Chapter 6 Network Security MonitoringSguil Server Sguil ClientInstalling the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Hardware and Software RequirementsInstalling the Sguil Client Uninstalling the Sguil ServerWireshark # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesRunning the Sguil System Running the Sguil SensorWriting New Rules Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpCLI Commands Chapter 7 Command Line InterfaceCLI commands are given in Command Line Reference on page Editing Dynamic Rules with the CLITo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Creating Rules Files Compiling RulesRules Capacity Compiling RulesMatch non-IP Traffic Target Devicepage 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Optionssee Figure 36 on page Segmentation Evasion RulesMaximum String see Figure 37 on pageEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationConfiguration and Generated Files which the .bit files in /usr/local/pnic/0 areto which the .mapping files in /usr/local/pnic Firmware Filenames Compiler ErrorsSnort Rule Syntax Writing RulesSnort Rule Headers ActionSource Addresses ProtocolDirection Operator PortsP-Series Supported Snort Keywords P-Series Rule SyntaxSnort Rule Options Destination Address and PortStatic KeywordDynamic protocolStateful Matching Writing Stateful Rules∧ si Equation= si ⎬ then cpiIn Table Stateful Rule ExamplesSupport for Snorts flow Keyword Handling Segmentation EvasionThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Firewall Deploying the P-Series as a FirewallChapter Drop mode Disabled Drop mode Enabled Enabling the FirewallVerify Drop mode is Enabled Figure 39 Enabling and Disabling Drop ModeWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic aggregate-mode-disable on page Appendix A Command Line Referencepnic aggregate-mode-enable on page pnic apply-firmware on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic temp-mem-disable on page pnic temp-mem-enable on page pnic aggregate-mode-disablepnic updatemacvalue on page pnic vlan-remove-disable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic apply-firmware pnic aggregate-mode-enableCommands Parameters Command History Examplepnic show-firmwares Display the available firmwarepnic capture-on pnic capture-offEnable the capturing of packets via direct memory access Syntax Parameters Command History ExampleCommands pnic cardstatusSyntax Parameters Command History Example Commandspnic compilerules pnic default-drop-disableTemporary memory is disabled while the firewall is enabled pnic default-drop-enablepnic diag Parameters Command History ExampleParameters Command History Example Usage InformationVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-disable pnic flow-teardown-enablevalue for an IP address pairs pnic getmachashindexEnable MAC rewriting pnic guiDisable MAC rewriting pnic updatemacvaluepnic gui Command Example P-Series Installation and Operation Guide, versionExample Syntax Command History Example pnic helppnic help output omittedpnic linkup pnic linkdownSyntax Parameters Command History Example CommandsParameters Command History Example pnic loadconfCommands Syntax Parameters Command HistoryCorresponding Parameter Addresspnic loadparams deprecated pnic loadepromspnic loadeproms number pnic loadparams numberCorresponding Parameter Addresspnic loadrules Command History Example Usage InformationSyntax Parameters pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedUsage Information Related Commands pnic on deprecatedSyntax Parameters Command History Example pnic on deprecatedpnic params pnic passive-mode-disablepnic passive-mode-enable pnic passive-mode-enableCommand Commandspnic restart pnic resetconfSyntax Parameters Command History Example Stop capturing and matchingDisable the network interface pnic sguil-sensor-startEnable the network interface Syntax Command History ExampleSyntax Parameters Command History Example Stop the Sguil sensor using the command pnic sguil-sensor-stopCommands pnic sguil-sensor-start -fSyntax Parameters Command History Example pnic sguil-sensor-stopCommands pnic sguil-sensor-start Start the Sguil sensorpnic show-firmwares pnic showconfSyntax Parameters Command History Example CommandsCommand History Example pnic showtechCommands Syntax Parameters Command HistoryLoad the capture/block configuration Load the runtime parameters pnic startEnable the network interface Disable the network interface using the command pnic stopEnable the network interface pnic stopCommands Syntax Parameters Command History Examplepnic temp-mem-enable pnic temp-mem-disableUse this command with the MAC rewrite feature pnic updatemacvaluepnic temp-mem-disable Enable MAC rewritingpnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-disable pnic vlan-remove-enablepnic web-gui-start pnic versionDisable the web server using the command pnic web-gui-stop Display the driver versionpnic web-gui-stop Enable the web server using the command pnic web-gui-startCommands Commandpnic web-gui-start CommandsExample RelatedAppendix A Snort Keywords Appendix Back number dsize number numberKeyword Keyword uricontent ! “datastring”Description Rule SyntaxAppendix B Appendix C Meta and Evasion Rules meta RulesEvasion Rules Appendix C Unix Commands Appendix D Basic Unix CommandsCommand DescriptionCommand vi CommandsDescription ? textGlossary Appendix ESPAN Port SnortState Static RulesAppendix F Accessing iSupport ServicesTechnical Support Manual PagesContacting the Technical Assistance Center Locating P-Series Serial NumbersSerial Number see Locating P-Series Serial Numbers on page To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support