Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 Keyword, Static, Dynamic, protocol, source address, source port

Models: 100-00055-01

1 132

Page 67

Table 19 Supported Snort Keywords for Static and Dynamic Rules

Keyword	Static	Dynamic

depth	No	No

dsize	Yes	No

flags	Yes	Yes, no wild card

flow	Yes	No

fragbits	Yes	No

fragoffset	Yes	No

icmp_id	Yes	Yes

icmp_seq	Yes	Yes

icode	Yes	Yes

id	Yes	Yes

ip_proto	Yes	Yes

itype	Yes	Yes

offset	No	No

nocase	Yes	No

protocol	ICMP, UDP, TCP, IP	ARP, ICMP, UDP, TCP, IP

seq	Yes	Yes

source address	Yes	Only /8/16/24/32 masks

destination address	Yes	Only /8/16/24/32 masks

source port	Yes	Yes, no ranges

destination port	Yes	Yes, no ranges

tos	Yes	Yes

ttl	Yes	Yes

uricontent	Yes, no negative.	No

window	Yes	No

within	No	No

P-Series Installation and Operation Guide, version 2.3.1.2

Page 67

Image 67

Force10 Networks 100-00055-01 manual Keyword, Static, Dynamic, protocol, source address, destination address, source port

Contents

Version P-Series Installation and Operation GuideMay 27 USA Federal Communications Commission FCC Statement Copyright 2008 Force10 NetworksTrademarks Statement of ConditionsPreface ContentsContents InstallationWeb-based Management Command Line InterfaceGraphical User Interface ChapterWriting Rules Command Line ReferenceBasic Unix Commands Compiling RulesTechnical Support Appendix EGlossary Appendix FAudience PrefaceAbout this Guide ObjectivesP-Series Release Notes Information SymbolsRelated Documents Additional ResourcesChapter InstallationPhysical Connections System SpecificationsPB-10GE-2P Step Task Upgrading Software BootingConfiguration Security Checkscp username@serverabsolutepath mkdir ~/upgradedirectoryfilename ~/upgradedirectory cd upgradedirectorygmake install Commandcd upgradedirectory/pnic-compiler cd upgradedirectory/firmwareTo begin inspecting and filtering traffic you must Returning to the Default ConfigurationGetting Started ChapterGetting Started Hardware Architecture Overview IntroductionChapter Sample Rules and Firmware Types of RulesDeploying the P-Series Rule ManagementFirewall Deployment” on page Optical Bypass 10-Gigabit Inline DeploymentFail-safe Deployment 10-Gigabit10-Gigabit Highly-available DeploymentPassive Deployment P1P0P-Series P10 Capturing Matched TrafficNetwork Switch with SPAN port Network Tap 10-Gigabit 10-GigabitCapturing to a Host CPU Traffic to Monitor Mirroring to Another DevicePB-10GE-2P M1 P1 P0 M0Chapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and FirmwareTo manage firmware, see “Selecting Firmware with the GUI” on page Editing Dynamic Rules with the GUIdirectory see “Editing Dynamic Rules with the GUI” on page GUI” on pageTo modify dynamic rules Managing Capture/Forward Policies with the GUITo change capture/forward policies fn9000013 Selecting Firmware with the GUIfn9000014 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface Launching the P-Series Node Manager Chapter 5 Web-based ManagementTo launch the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerManaging Firmware Images on page Managing the P-Series using Node ManagerWeb-browser Security Certificates Monitoring System Performance on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelSguil Client Chapter 6 Network Security MonitoringP-Series Sensors Sguil ServerHardware and Software Requirements Installing the Sguil SystemInstalling the Sguil Sensor Installing the Sguil ServerUninstalling the Sguil Server Installing the Sguil ClientWireshark # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesRunning the Sguil Sensor Running the Sguil SystemWriting New Rules Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpEditing Dynamic Rules with the CLI Chapter 7 Command Line InterfaceCLI Commands CLI commands are given in Command Line Reference on pageTo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Compiling Rules Compiling RulesCreating Rules Files Rules Capacity3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Options Target DeviceMatch non-IP Traffic pagesee Figure 37 on page Segmentation Evasion Rulessee Figure 36 on page Maximum StringEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationwhich the .bit files in /usr/local/pnic/0 are Configuration and Generated Filesto which the .mapping files in /usr/local/pnic Firmware Filenames Compiler ErrorsAction Writing RulesSnort Rule Syntax Snort Rule HeadersSource Addresses ProtocolDirection Operator PortsDestination Address and Port P-Series Rule SyntaxP-Series Supported Snort Keywords Snort Rule Optionsprotocol KeywordStatic DynamicStateful Matching Writing Stateful Rulesthen cpi Equation∧ si = si ⎬In Table Stateful Rule ExamplesHandling Segmentation Evasion Support for Snorts flow KeywordThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall FirewallChapter Figure 39 Enabling and Disabling Drop Mode Enabling the FirewallDrop mode Disabled Drop mode Enabled Verify Drop mode is EnabledWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic default-drop-disable on page pnic default-drop-enable on page Appendix A Command Line Referencepnic aggregate-mode-disable on page pnic aggregate-mode-enable on page pnic apply-firmware on pagepnic vlan-remove-enable on page pnic web-gui-start on page pnic aggregate-mode-disablepnic temp-mem-disable on page pnic temp-mem-enable on page pnic updatemacvalue on page pnic vlan-remove-disable on pagepnic apply-firmware pnic aggregate-mode-enableDisplay the available firmware Parameters Command History ExampleCommands pnic show-firmwaresSyntax Parameters Command History Example pnic capture-offpnic capture-on Enable the capturing of packets via direct memory accessCommands pnic cardstatusCommands Syntax Parameters Command History Examplepnic compilerules pnic default-drop-disableParameters Command History Example pnic default-drop-enableTemporary memory is disabled while the firewall is enabled pnic diagUsage Information Parameters Command History ExampleVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-enable pnic flow-teardown-disablevalue for an IP address pairs pnic getmachashindexpnic updatemacvalue pnic guiEnable MAC rewriting Disable MAC rewritingP-Series Installation and Operation Guide, version pnic gui Command ExampleExample output omitted pnic helpSyntax Command History Example pnic helpCommands pnic linkdownpnic linkup Syntax Parameters Command History ExampleSyntax Parameters Command History pnic loadconfParameters Command History Example CommandsCorresponding Parameter Addresspnic loadparams number pnic loadepromspnic loadparams deprecated pnic loadeproms numberCorresponding Parameter AddressCommand History Example Usage Information pnic loadrulesSyntax Parameters pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedpnic on deprecated pnic on deprecatedUsage Information Related Commands Syntax Parameters Command History Examplepnic params pnic passive-mode-disableCommands pnic passive-mode-enablepnic passive-mode-enable CommandStop capturing and matching pnic resetconfpnic restart Syntax Parameters Command History ExampleSyntax Command History Example pnic sguil-sensor-startDisable the network interface Enable the network interfacepnic sguil-sensor-start -f Stop the Sguil sensor using the command pnic sguil-sensor-stopSyntax Parameters Command History Example Commandspnic sguil-sensor-start Start the Sguil sensor pnic sguil-sensor-stopSyntax Parameters Command History Example CommandsCommands pnic showconfpnic show-firmwares Syntax Parameters Command History ExampleSyntax Parameters Command History pnic showtechCommand History Example CommandsDisable the network interface using the command pnic stop pnic startLoad the capture/block configuration Load the runtime parameters Enable the network interfaceSyntax Parameters Command History Example pnic stopEnable the network interface Commandspnic temp-mem-enable pnic temp-mem-disableEnable MAC rewriting pnic updatemacvalueUse this command with the MAC rewrite feature pnic temp-mem-disablepnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-enable pnic vlan-remove-disableDisplay the driver version pnic versionpnic web-gui-start Disable the web server using the command pnic web-gui-stopCommand Enable the web server using the command pnic web-gui-startpnic web-gui-stop CommandsRelated Commandspnic web-gui-start ExampleAppendix A dsize number number Appendix BSnort Keywords ack numberKeyword Rule Syntax uricontent ! “datastring”Keyword DescriptionAppendix B meta Rules Appendix C Meta and Evasion RulesEvasion Rules Appendix C Description Appendix D Basic Unix CommandsUnix Commands Command? text vi CommandsCommand DescriptionGlossary Appendix EStatic Rules SnortSPAN Port StateManual Pages Accessing iSupport ServicesAppendix F Technical SupportLocating P-Series Serial Numbers Contacting the Technical Assistance CenterSerial Number see Locating P-Series Serial Numbers on page To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support

protocol

source address

destination address

source port

destination port