Content matching, Positives | Force10 Networks 100-00055-01 specification

Table 8 Compiler Configuration Options

	Compilation Option	Description

7	Segmentation Evasion Rules	The pnic-Compiler prepends a set of fixed rules—called evasion.rules —
		located in the pnic-compiler/rulesdirectory. The rules help detect attacks
		which are using strategic TCP segmentation to avoid detection.
		It is best to include this file if Snort is being used as the front end. If not
		using Snort as the front end, these rules should not be included or they
		should be changed to accommodate other packet analysis requirements
		(see Figure 36 on page 59).
8	Maximum String	Specify the maximum number of bytes a single static rule can use for
		content matching.
		A low value truncates the match string and increases the number of rules
		that can fit into the FPGA, but this is at the expense of increased false
		positives.
		A value lower than 1024 is not recommended unless you can cope with the
		increased number of false positives through Snort or some other means
		(see Figure 37 on page 60).

9	Firmware Name	Enter a mnemonic name for the firmware you are about to create.

10	Confirmation	Enter Yes to save the configuration and compile the Snort rules into
		firmware (see Figure 37 on page 60).

P-Series Installation and Operation Guide, version 2.3.1.2

57

Image 57

Force10 Networks 100-00055-01 manual Content matching, Positives

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Audience ObjectivesConventions Convention Description Keyword Symbol Warning Description Information SymbolsRelated Documents Additional Resources This LED is green when the power is on This LED is blue when the hard disk is accessedLabel Description This LED is not used System Specifications Physical ConnectionsPB-10GE-2P Step Task Configuration BootingOnce the appliance is booted Security Check Cp -Rf /usr/local/pnic/ /home Gmake installTar xvzf PTPS-PMAIN Cd SW Install pre-compiled firmware if needed Cd upgradedirectory/pnic-compilerRe-compile all rules firmware with the new compiler Located in the directory pnic-compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Sample Rules and Firmware Types of RulesRx1 Tx1 Mirror Introduction Deploying the P-Series Rule ManagementSample Rules Files Rule Set Description Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui GUI Commands GUI CommandsCommand Description Rule Management GUI Managing Rules, Policies, and Firmware Option Description Editing Dynamic Rules with the GUIPolicy Capture Permit Deny To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Runtime Statistics To select firmwareSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Reloading Firmware Runtime Statistics DescriptionStatistic Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Managing the P-Series using Node Manager Web-browser Security CertificatesSeries Node Manager has four major management capabilities Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil System Installing the Sguil SensorInstalling the Sguil Server To uninstall the server Installing the Sguil ClientSource the server configuration file. The default Wish Sguil Files and Directories Installation FilesFile Location Sensor Server Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Editing Dynamic Rules with the CLI CLI CommandsMAC Rewriting Change directories to /usr/local/pnic/0 Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface Rules Capacity Creating Rules FilesCompiling Rules To complile rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration Configuration and Generated Files Configuration and Generated FilesFile Description Location Firmware Filenames Compiler ErrorsDescribes each of the elements in this format Firmware Filename Description Snort Rule Syntax Snort Rule HeadersSnort Rule Syntax Protocol Ports Series Supported Snort Keywords Series Rule SyntaxSnort Rule Options Keyword Static Dynamic Seq Yes Yes Only /8/16/24/32 masksYes Yes, no ranges Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable Pnic aggregate-mode-disable numberAppendix a Pnic aggregate-mode-enable number Pnic aggregate-mode-enableDifferent ports. This is the default behavior Pnic apply-firmware Display the available firmware Pnic apply-firmware Command Example Pnic capture-on Pnic capture-offPnic capture-off Syntax pnic capture-on Pnic cardstatus Display the configuration parameters of the systemPnic cardstatus number Display the driver version Pnic default-drop-disable number Pnic default-drop-disablePnic compilerules Pnic compilerules number Enable firewall functionality Pnic default-drop-enableRun diagnostic tests on the card Pnic diag Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-disable Pnic flow-teardown-enable Example pnic flow-teardown-enable Command Example Pnic getmachashindexPnic getmachashindex number Pnic gui Launch the graphical user interfaceSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadparams deprecated Pnic loadepromsLoad the PCI-X and front-end EEPROMs Pnic loadeproms number Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Enable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting. This is the default behaviorDisable MAC rewriting using the command pnic macrewrite-off Pnic macrewrite-off Pnic off deprecated Syntax pnic off100 Appendix a Enable the capturing of packets via direct memory access Example pnic off Command ExamplePnic on deprecated Pnic on Syntax pnic passive-mode-disable number Pnic passive-mode-disablePnic params Pnic params number Configure the ports to only receive traffic Pnic passive-mode-enableExample pnic passive-mode-disable Command Example Configure the ports to only receive traffic Pnic resetconf number Pnic resetconfPnic restart Stop capturing and matching Pnic sguil-sensor-start Series Installation and Operation Guide, version 105Start the Sguil sensor Pnic restart Pnic sguil-sensor-start -f Pnic sguil-sensor-stop Series Installation and Operation Guide, version 107Stop the Sguil sensor Pnic sguil-sensor-stop -f Pnic showconf Display configuration parameters of the cardPnic show-firmwares List the available firmware images Pnic showtech Series Installation and Operation Guide, version 109Apply a specific firmware to the card Pnic showtech number filename.dat Example pnic showtech Command Example Disable the network interface using the command pnic stopPnic start Pnic start number Enable the network interface using the command pnic start Turn off capture and disable the network interfaceDisable the network interface Pnic stop Pnic temp-mem-enable Pnic temp-mem-disableDisable temporary memory Enable temporary memory. This is the default behavior Disable temporary memory Pnic updatemacvaluePnic updatemacvalue number Specifies an LSB value for a particular hash index Pnic vlan-remove-enable Pnic vlan-remove-disableDisable the Vlan Tag Remove feature Vlan Tag Remove feature is disabled by default Pnic version Disable the web server using the command pnic web-gui-stopPnic web-gui-start Display the driver version Stop the web server Pnic web-gui-stopStop the web server Pnic web-gui-stop -f Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Keyword Description Rule Syntax Description of P-Series Snort KeywordsAck Checks for a specific TCP acknowledgment number Flags!*+ FSRPAU120 Icmp idnumber Flow establishedstatelessIcmp seq number Ipproto ! name number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Meta Rules for Channel 0 and Channel Meta RulesEvasion Rules 124 Appendix C Logout Unix CommandsPasswd Pwd ? text Vi CommandsSet number no Number Flow Dynamic RulesGarbage Collection Span Port SnortState Static Rules Series Installation and Operation Guide, version 129 Accessing iSupport ServicesManual Pages ISupport Website Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support