Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Ports, Direction Operator

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 65

Ports

Ports

Port numbers may be specified by the keyword any, a single port number, ranges, and by negation. any specifies any port. Static ports are indicated by a single port number, for example, 23 for Telnet. Port ranges can be specified using a colon as a range operator. It can be applied in three ways, as shown by Table 15.

Table 15 Rules Containing the Port Number Range Operator

log udp any any -> 192.168.1.0/24 1:1024 log udp log tcp any any -> 192.168.1.0/24 :6000

log tcp any :1024 -> 192.168.1.0/24 500:

•A colon between two port numbers indicates all ports between those ports, including the specified ports.

•A colon before a port number indicates all ports less than or equal to the specified port.

•A colon after a port number indicates all ports greater than or equal to the specifed port.

The negation operator can also be used in combination with port numbers. The rule in Table 16 logs all TCP traffic destined for ports other than port 6000 on the local network.

Table 16 Rules Containing the Port Number Negation Operator

log tcp any any -> 192.168.1.0/24 !6000:6000

Note: The negation operator may not be placed before the keyword any. The ICMP protocol does not require a port number.

Direction Operator

The direction operator, ->, indicates direction of the traffic to which the rule applies. The source IP address and port are on the left side of the direction operator, and the destination address and port are on the right side of the operator.

There is also a bidirectional operator, <>. This directs Snort to consider traffic originating from either of the specified addresses and ports. This operator can be used for analyzing both sides of a conversation. An example of the bidirectional operator being used to record both sides of a Telnet session is shown in Table 17.

Table 17 Rules Containing the Bidirectional Operator

log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23

P-Series Installation and Operation Guide, version 2.3.1.2

65

Image 65

Force10 Networks 100-00055-01 manual Ports, Direction Operator

Contents

May 27 P-Series Installation and Operation GuideVersion Trademarks Copyright 2008 Force10 NetworksStatement of Conditions USA Federal Communications Commission FCC StatementContents ContentsInstallation PrefaceGraphical User Interface Command Line InterfaceChapter Web-based ManagementBasic Unix Commands Command Line ReferenceCompiling Rules Writing RulesGlossary Appendix EAppendix F Technical SupportAbout this Guide PrefaceObjectives AudienceRelated Documents Information SymbolsAdditional Resources P-Series Release NotesChapter InstallationPB-10GE-2P System SpecificationsPhysical Connections Step Task Configuration BootingSecurity Check Upgrading Softwarefilename ~/upgradedirectory mkdir ~/upgradedirectorycd upgradedirectory scp username@serverabsolutepathcd upgradedirectory/pnic-compiler Commandcd upgradedirectory/firmware gmake installGetting Started Returning to the Default ConfigurationChapter To begin inspecting and filtering traffic you mustGetting Started Chapter IntroductionHardware Architecture Overview Sample Rules and Firmware Types of RulesFirewall Deployment” on page Rule ManagementDeploying the P-Series Fail-safe Deployment Inline Deployment10-Gigabit Optical Bypass 10-GigabitPassive Deployment Highly-available DeploymentP1P0 10-GigabitNetwork Switch with SPAN port Capturing Matched TrafficNetwork Tap 10-Gigabit 10-Gigabit P-Series P10Capturing to a Host CPU PB-10GE-2P Mirroring to Another DeviceM1 P1 P0 M0 Traffic to MonitorChapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and Firmwaredirectory see “Editing Dynamic Rules with the GUI” on page Editing Dynamic Rules with the GUIGUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageTo change capture/forward policies Managing Capture/Forward Policies with the GUITo modify dynamic rules fn9000014 Selecting Firmware with the GUIfn9000013 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface To launch the P-Series Node Manager Chapter 5 Web-based ManagementLaunching the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerWeb-browser Security Certificates Managing the P-Series using Node ManagerMonitoring System Performance on page Managing Firmware Images on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelP-Series Sensors Chapter 6 Network Security MonitoringSguil Server Sguil ClientInstalling the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Hardware and Software RequirementsWireshark Installing the Sguil ClientUninstalling the Sguil Server # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesWriting New Rules Running the Sguil SystemRunning the Sguil Sensor Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpCLI Commands Chapter 7 Command Line InterfaceCLI commands are given in Command Line Reference on page Editing Dynamic Rules with the CLITo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Creating Rules Files Compiling RulesRules Capacity Compiling RulesMatch non-IP Traffic Target Devicepage 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Optionssee Figure 36 on page Segmentation Evasion RulesMaximum String see Figure 37 on pageEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationto which the .mapping files in /usr/local/pnic Configuration and Generated Fileswhich the .bit files in /usr/local/pnic/0 are Firmware Filenames Compiler ErrorsSnort Rule Syntax Writing RulesSnort Rule Headers ActionSource Addresses ProtocolDirection Operator PortsP-Series Supported Snort Keywords P-Series Rule SyntaxSnort Rule Options Destination Address and PortStatic KeywordDynamic protocolStateful Matching Writing Stateful Rules∧ si Equation= si ⎬ then cpiIn Table Stateful Rule ExamplesThe meta.rules File Support for Snorts flow KeywordHandling Segmentation Evasion Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Chapter FirewallDeploying the P-Series as a Firewall Drop mode Disabled Drop mode Enabled Enabling the FirewallVerify Drop mode is Enabled Figure 39 Enabling and Disabling Drop ModeWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic aggregate-mode-disable on page Appendix A Command Line Referencepnic aggregate-mode-enable on page pnic apply-firmware on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic temp-mem-disable on page pnic temp-mem-enable on page pnic aggregate-mode-disablepnic updatemacvalue on page pnic vlan-remove-disable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic apply-firmware pnic aggregate-mode-enableCommands Parameters Command History Examplepnic show-firmwares Display the available firmwarepnic capture-on pnic capture-offEnable the capturing of packets via direct memory access Syntax Parameters Command History ExampleCommands pnic cardstatusSyntax Parameters Command History Example Commandspnic compilerules pnic default-drop-disableTemporary memory is disabled while the firewall is enabled pnic default-drop-enablepnic diag Parameters Command History ExampleVersion PMAIN2.3.0.014 root@localhost SW# Parameters Command History ExampleUsage Information pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-disable pnic flow-teardown-enablevalue for an IP address pairs pnic getmachashindexEnable MAC rewriting pnic guiDisable MAC rewriting pnic updatemacvalueExample pnic gui Command ExampleP-Series Installation and Operation Guide, version Syntax Command History Example pnic helppnic help output omittedpnic linkup pnic linkdownSyntax Parameters Command History Example CommandsParameters Command History Example pnic loadconfCommands Syntax Parameters Command HistoryCorresponding Parameter Addresspnic loadparams deprecated pnic loadepromspnic loadeproms number pnic loadparams numberCorresponding Parameter AddressSyntax Parameters pnic loadrulesCommand History Example Usage Information pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedUsage Information Related Commands pnic on deprecatedSyntax Parameters Command History Example pnic on deprecatedpnic params pnic passive-mode-disablepnic passive-mode-enable pnic passive-mode-enableCommand Commandspnic restart pnic resetconfSyntax Parameters Command History Example Stop capturing and matchingDisable the network interface pnic sguil-sensor-startEnable the network interface Syntax Command History ExampleSyntax Parameters Command History Example Stop the Sguil sensor using the command pnic sguil-sensor-stopCommands pnic sguil-sensor-start -fSyntax Parameters Command History Example pnic sguil-sensor-stopCommands pnic sguil-sensor-start Start the Sguil sensorpnic show-firmwares pnic showconfSyntax Parameters Command History Example CommandsCommand History Example pnic showtechCommands Syntax Parameters Command HistoryLoad the capture/block configuration Load the runtime parameters pnic startEnable the network interface Disable the network interface using the command pnic stopEnable the network interface pnic stopCommands Syntax Parameters Command History Examplepnic temp-mem-enable pnic temp-mem-disableUse this command with the MAC rewrite feature pnic updatemacvaluepnic temp-mem-disable Enable MAC rewritingpnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-disable pnic vlan-remove-enablepnic web-gui-start pnic versionDisable the web server using the command pnic web-gui-stop Display the driver versionpnic web-gui-stop Enable the web server using the command pnic web-gui-startCommands Commandpnic web-gui-start CommandsExample RelatedAppendix A Snort Keywords Appendix Back number dsize number numberKeyword Keyword uricontent ! “datastring”Description Rule SyntaxAppendix B Evasion Rules Appendix C Meta and Evasion Rulesmeta Rules Appendix C Unix Commands Appendix D Basic Unix CommandsCommand DescriptionCommand vi CommandsDescription ? textGlossary Appendix ESPAN Port SnortState Static RulesAppendix F Accessing iSupport ServicesTechnical Support Manual PagesSerial Number see Locating P-Series Serial Numbers on page Contacting the Technical Assistance CenterLocating P-Series Serial Numbers To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support