Anomalous TCP Flags | Force10 Networks 100-00055-01 specs

Anomalous TCP Flags

Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Table 24 shows rules which were derived from the Snort scan pre-processor.

Table 24 TCP Packets with Anomalous Flags

alert on c0 tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;) alert on c0 tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;) alert on c0 tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;) alert on c0 tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;) alert on c0 tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)

The compiler also automatically produces rules that match all packets that are IP fragments or have IP options. These rules are not specified in the pnic.meta file as they can be more efficiently implemented by the compiler directly.

P-Series Installation and Operation Guide, version 2.3.1.2

73

Image 73

Force10 Networks 100-00055-01 manual Anomalous TCP Flags

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Audience ObjectivesConventions Convention Description Keyword Symbol Warning Description Information SymbolsRelated Documents Additional Resources This LED is green when the power is on This LED is blue when the hard disk is accessedLabel Description This LED is not used Physical Connections System SpecificationsPB-10GE-2P Step Task Configuration BootingOnce the appliance is booted Security Check Cp -Rf /usr/local/pnic/ /home Gmake installTar xvzf PTPS-PMAIN Cd SW Install pre-compiled firmware if needed Cd upgradedirectory/pnic-compilerRe-compile all rules firmware with the new compiler Located in the directory pnic-compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Sample Rules and Firmware Types of RulesRx1 Tx1 Mirror Introduction Deploying the P-Series Rule ManagementSample Rules Files Rule Set Description Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui GUI Commands GUI CommandsCommand Description Rule Management GUI Managing Rules, Policies, and Firmware Option Description Editing Dynamic Rules with the GUIPolicy Capture Permit Deny To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI To select firmware Runtime StatisticsSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Runtime Statistics Description Reloading FirmwareStatistic Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Web-browser Security Certificates Managing the P-Series using Node ManagerSeries Node Manager has four major management capabilities Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server To uninstall the server Installing the Sguil ClientSource the server configuration file. The default Wish Sguil Files and Directories Installation FilesFile Location Sensor Server Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Editing Dynamic Rules with the CLI CLI CommandsMAC Rewriting Change directories to /usr/local/pnic/0 Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface Rules Capacity Creating Rules FilesCompiling Rules To complile rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration Configuration and Generated Files Configuration and Generated FilesFile Description Location Firmware Filenames Compiler ErrorsDescribes each of the elements in this format Firmware Filename Description Snort Rule Headers Snort Rule SyntaxSnort Rule Syntax Protocol Ports Series Supported Snort Keywords Series Rule SyntaxSnort Rule Options Keyword Static Dynamic Yes Only /8/16/24/32 masks Seq YesYes Yes, no ranges Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable number Pnic aggregate-mode-disableAppendix a Pnic aggregate-mode-enable number Pnic aggregate-mode-enableDifferent ports. This is the default behavior Pnic apply-firmware Display the available firmware Pnic apply-firmware Command Example Pnic capture-on Pnic capture-offPnic capture-off Syntax pnic capture-on Pnic cardstatus Display the configuration parameters of the systemPnic cardstatus number Display the driver version Pnic default-drop-disable number Pnic default-drop-disablePnic compilerules Pnic compilerules number Enable firewall functionality Pnic default-drop-enableRun diagnostic tests on the card Pnic diag Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-disable Pnic flow-teardown-enable Pnic getmachashindex Example pnic flow-teardown-enable Command ExamplePnic getmachashindex number Launch the graphical user interface Pnic guiSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadparams deprecated Pnic loadepromsLoad the PCI-X and front-end EEPROMs Pnic loadeproms number Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Enable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting. This is the default behaviorDisable MAC rewriting using the command pnic macrewrite-off Pnic macrewrite-off Syntax pnic off Pnic off deprecated100 Appendix a Enable the capturing of packets via direct memory access Example pnic off Command ExamplePnic on deprecated Pnic on Syntax pnic passive-mode-disable number Pnic passive-mode-disablePnic params Pnic params number Configure the ports to only receive traffic Pnic passive-mode-enableExample pnic passive-mode-disable Command Example Configure the ports to only receive traffic Pnic resetconf number Pnic resetconfPnic restart Stop capturing and matching Pnic sguil-sensor-start Series Installation and Operation Guide, version 105Start the Sguil sensor Pnic restart Pnic sguil-sensor-start -f Pnic sguil-sensor-stop Series Installation and Operation Guide, version 107Stop the Sguil sensor Pnic sguil-sensor-stop -f Pnic showconf Display configuration parameters of the cardPnic show-firmwares List the available firmware images Pnic showtech Series Installation and Operation Guide, version 109Apply a specific firmware to the card Pnic showtech number filename.dat Example pnic showtech Command Example Disable the network interface using the command pnic stopPnic start Pnic start number Enable the network interface using the command pnic start Turn off capture and disable the network interfaceDisable the network interface Pnic stop Pnic temp-mem-enable Pnic temp-mem-disableDisable temporary memory Enable temporary memory. This is the default behavior Disable temporary memory Pnic updatemacvaluePnic updatemacvalue number Specifies an LSB value for a particular hash index Pnic vlan-remove-enable Pnic vlan-remove-disableDisable the Vlan Tag Remove feature Vlan Tag Remove feature is disabled by default Pnic version Disable the web server using the command pnic web-gui-stopPnic web-gui-start Display the driver version Stop the web server Pnic web-gui-stopStop the web server Pnic web-gui-stop -f Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Keyword Description Rule Syntax Description of P-Series Snort KeywordsAck Checks for a specific TCP acknowledgment number Flags!*+ FSRPAU120 Icmp idnumber Flow establishedstatelessIcmp seq number Ipproto ! name number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Meta Rules Meta Rules for Channel 0 and ChannelEvasion Rules 124 Appendix C Logout Unix CommandsPasswd Pwd ? text Vi CommandsSet number no Number Flow Dynamic RulesGarbage Collection Span Port SnortState Static Rules Series Installation and Operation Guide, version 129 Accessing iSupport ServicesManual Pages ISupport Website Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support