Ports | Force10 Networks 100-00055-01 manual

Ports

Port numbers may be specified by the keyword any, a single port number, ranges, and by negation. any specifies any port. Static ports are indicated by a single port number, for example, 23 for Telnet. Port ranges can be specified using a colon as a range operator. It can be applied in three ways, as shown by Table 15.

Table 15 Rules Containing the Port Number Range Operator

log udp any any -> 192.168.1.0/24 1:1024 log udp log tcp any any -> 192.168.1.0/24 :6000

log tcp any :1024 -> 192.168.1.0/24 500:

•A colon between two port numbers indicates all ports between those ports, including the specified ports.

•A colon before a port number indicates all ports less than or equal to the specified port.

•A colon after a port number indicates all ports greater than or equal to the specifed port.

The negation operator can also be used in combination with port numbers. The rule in Table 16 logs all TCP traffic destined for ports other than port 6000 on the local network.

Table 16 Rules Containing the Port Number Negation Operator

log tcp any any -> 192.168.1.0/24 !6000:6000

Note: The negation operator may not be placed before the keyword any. The ICMP protocol does not require a port number.

Direction Operator

The direction operator, ->, indicates direction of the traffic to which the rule applies. The source IP address and port are on the left side of the direction operator, and the destination address and port are on the right side of the operator.

There is also a bidirectional operator, <>. This directs Snort to consider traffic originating from either of the specified addresses and ports. This operator can be used for analyzing both sides of a conversation. An example of the bidirectional operator being used to record both sides of a Telnet session is shown in Table 17.

Table 17 Rules Containing the Bidirectional Operator

log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23

P-Series Installation and Operation Guide, version 2.3.1.2

65

Image 65

Force10 Networks 100-00055-01 manual Ports

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Audience ObjectivesConventions Convention Description Keyword Symbol Warning Description Information SymbolsRelated Documents Additional Resources This LED is green when the power is on This LED is blue when the hard disk is accessedLabel Description This LED is not used PB-10GE-2P System SpecificationsPhysical Connections Step Task Configuration BootingOnce the appliance is booted Security Check Cp -Rf /usr/local/pnic/ /home Gmake installTar xvzf PTPS-PMAIN Cd SW Install pre-compiled firmware if needed Cd upgradedirectory/pnic-compilerRe-compile all rules firmware with the new compiler Located in the directory pnic-compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Sample Rules and Firmware Types of RulesRx1 Tx1 Mirror Introduction Deploying the P-Series Rule ManagementSample Rules Files Rule Set Description Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui Command Description GUI CommandsGUI Commands Rule Management GUI Managing Rules, Policies, and Firmware Option Description Editing Dynamic Rules with the GUIPolicy Capture Permit Deny To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Select Manage Firmware see Figure Runtime StatisticsTo select firmware Runtime Statistics for Channel 0 and 1-FPGA Loaded Statistic Description Reloading FirmwareRuntime Statistics Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Series Node Manager has four major management capabilities Managing the P-Series using Node ManagerWeb-browser Security Certificates Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor To uninstall the server Installing the Sguil ClientSource the server configuration file. The default Wish Sguil Files and Directories Installation FilesFile Location Sensor Server Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Editing Dynamic Rules with the CLI CLI CommandsMAC Rewriting Change directories to /usr/local/pnic/0 Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface Rules Capacity Creating Rules FilesCompiling Rules To complile rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration File Description Location Configuration and Generated FilesConfiguration and Generated Files Firmware Filenames Compiler ErrorsDescribes each of the elements in this format Firmware Filename Description Snort Rule Syntax Snort Rule SyntaxSnort Rule Headers Protocol Ports Series Supported Snort Keywords Series Rule SyntaxSnort Rule Options Keyword Static Dynamic Yes Yes, no ranges Seq YesYes Only /8/16/24/32 masks Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Appendix a Pnic aggregate-mode-disablePnic aggregate-mode-disable number Pnic aggregate-mode-enable number Pnic aggregate-mode-enableDifferent ports. This is the default behavior Pnic apply-firmware Display the available firmware Pnic apply-firmware Command Example Pnic capture-on Pnic capture-offPnic capture-off Syntax pnic capture-on Pnic cardstatus Display the configuration parameters of the systemPnic cardstatus number Display the driver version Pnic default-drop-disable number Pnic default-drop-disablePnic compilerules Pnic compilerules number Enable firewall functionality Pnic default-drop-enableRun diagnostic tests on the card Pnic diag Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-disable Pnic flow-teardown-enable Pnic getmachashindex number Example pnic flow-teardown-enable Command ExamplePnic getmachashindex Syntax pnic gui Pnic guiLaunch the graphical user interface Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadparams deprecated Pnic loadepromsLoad the PCI-X and front-end EEPROMs Pnic loadeproms number Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Enable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting. This is the default behaviorDisable MAC rewriting using the command pnic macrewrite-off Pnic macrewrite-off 100 Appendix a Pnic off deprecatedSyntax pnic off Enable the capturing of packets via direct memory access Example pnic off Command ExamplePnic on deprecated Pnic on Syntax pnic passive-mode-disable number Pnic passive-mode-disablePnic params Pnic params number Configure the ports to only receive traffic Pnic passive-mode-enableExample pnic passive-mode-disable Command Example Configure the ports to only receive traffic Pnic resetconf number Pnic resetconfPnic restart Stop capturing and matching Pnic sguil-sensor-start Series Installation and Operation Guide, version 105Start the Sguil sensor Pnic restart Pnic sguil-sensor-start -f Pnic sguil-sensor-stop Series Installation and Operation Guide, version 107Stop the Sguil sensor Pnic sguil-sensor-stop -f Pnic showconf Display configuration parameters of the cardPnic show-firmwares List the available firmware images Pnic showtech Series Installation and Operation Guide, version 109Apply a specific firmware to the card Pnic showtech number filename.dat Example pnic showtech Command Example Disable the network interface using the command pnic stopPnic start Pnic start number Enable the network interface using the command pnic start Turn off capture and disable the network interfaceDisable the network interface Pnic stop Pnic temp-mem-enable Pnic temp-mem-disableDisable temporary memory Enable temporary memory. This is the default behavior Disable temporary memory Pnic updatemacvaluePnic updatemacvalue number Specifies an LSB value for a particular hash index Pnic vlan-remove-enable Pnic vlan-remove-disableDisable the Vlan Tag Remove feature Vlan Tag Remove feature is disabled by default Pnic version Disable the web server using the command pnic web-gui-stopPnic web-gui-start Display the driver version Stop the web server Pnic web-gui-stopStop the web server Pnic web-gui-stop -f Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Keyword Description Rule Syntax Description of P-Series Snort KeywordsAck Checks for a specific TCP acknowledgment number Flags!*+ FSRPAU120 Icmp idnumber Flow establishedstatelessIcmp seq number Ipproto ! name number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Evasion Rules Meta Rules for Channel 0 and ChannelMeta Rules 124 Appendix C Logout Unix CommandsPasswd Pwd ? text Vi CommandsSet number no Number Flow Dynamic RulesGarbage Collection Span Port SnortState Static Rules Series Installation and Operation Guide, version 129 Accessing iSupport ServicesManual Pages ISupport Website Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support