Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Anomalous TCP Flags

Models: 100-00055-01

1 132

Page 73

Anomalous TCP Flags

Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Table 24 shows rules which were derived from the Snort scan pre-processor.

Table 24 TCP Packets with Anomalous Flags

alert on c0 tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;) alert on c0 tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;) alert on c0 tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;) alert on c0 tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;) alert on c0 tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)

The compiler also automatically produces rules that match all packets that are IP fragments or have IP options. These rules are not specified in the pnic.meta file as they can be more efficiently implemented by the compiler directly.

P-Series Installation and Operation Guide, version 2.3.1.2

Page 73

Image 73

Force10 Networks 100-00055-01 manual Anomalous TCP Flags

Contents

Version P-Series Installation and Operation GuideMay 27 Trademarks Copyright 2008 Force10 NetworksStatement of Conditions USA Federal Communications Commission FCC StatementContents ContentsInstallation PrefaceGraphical User Interface Command Line InterfaceChapter Web-based ManagementBasic Unix Commands Command Line ReferenceCompiling Rules Writing RulesGlossary Appendix EAppendix F Technical SupportAbout this Guide PrefaceObjectives AudienceRelated Documents Information SymbolsAdditional Resources P-Series Release NotesChapter InstallationPhysical Connections System SpecificationsPB-10GE-2P Step Task Configuration BootingSecurity Check Upgrading Softwarefilename ~/upgradedirectory mkdir ~/upgradedirectorycd upgradedirectory scp username@serverabsolutepathcd upgradedirectory/pnic-compiler Commandcd upgradedirectory/firmware gmake installGetting Started Returning to the Default ConfigurationChapter To begin inspecting and filtering traffic you mustGetting Started Hardware Architecture Overview IntroductionChapter Sample Rules and Firmware Types of RulesDeploying the P-Series Rule ManagementFirewall Deployment” on page Fail-safe Deployment Inline Deployment10-Gigabit Optical Bypass 10-GigabitPassive Deployment Highly-available DeploymentP1P0 10-GigabitNetwork Switch with SPAN port Capturing Matched TrafficNetwork Tap 10-Gigabit 10-Gigabit P-Series P10Capturing to a Host CPU PB-10GE-2P Mirroring to Another DeviceM1 P1 P0 M0 Traffic to MonitorChapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and Firmwaredirectory see “Editing Dynamic Rules with the GUI” on page Editing Dynamic Rules with the GUIGUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageTo modify dynamic rules Managing Capture/Forward Policies with the GUITo change capture/forward policies fn9000013 Selecting Firmware with the GUIfn9000014 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface Launching the P-Series Node Manager Chapter 5 Web-based ManagementTo launch the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerWeb-browser Security Certificates Managing the P-Series using Node ManagerMonitoring System Performance on page Managing Firmware Images on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelP-Series Sensors Chapter 6 Network Security MonitoringSguil Server Sguil ClientInstalling the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Hardware and Software RequirementsUninstalling the Sguil Server Installing the Sguil ClientWireshark # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesRunning the Sguil Sensor Running the Sguil SystemWriting New Rules Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpCLI Commands Chapter 7 Command Line InterfaceCLI commands are given in Command Line Reference on page Editing Dynamic Rules with the CLITo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Creating Rules Files Compiling RulesRules Capacity Compiling RulesMatch non-IP Traffic Target Devicepage 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Optionssee Figure 36 on page Segmentation Evasion RulesMaximum String see Figure 37 on pageEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationwhich the .bit files in /usr/local/pnic/0 are Configuration and Generated Filesto which the .mapping files in /usr/local/pnic Firmware Filenames Compiler ErrorsSnort Rule Syntax Writing RulesSnort Rule Headers ActionSource Addresses ProtocolDirection Operator PortsP-Series Supported Snort Keywords P-Series Rule SyntaxSnort Rule Options Destination Address and PortStatic KeywordDynamic protocolStateful Matching Writing Stateful Rules∧ si Equation= si ⎬ then cpiIn Table Stateful Rule ExamplesHandling Segmentation Evasion Support for Snorts flow KeywordThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall FirewallChapter Drop mode Disabled Drop mode Enabled Enabling the FirewallVerify Drop mode is Enabled Figure 39 Enabling and Disabling Drop ModeWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic aggregate-mode-disable on page Appendix A Command Line Referencepnic aggregate-mode-enable on page pnic apply-firmware on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic temp-mem-disable on page pnic temp-mem-enable on page pnic aggregate-mode-disablepnic updatemacvalue on page pnic vlan-remove-disable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic apply-firmware pnic aggregate-mode-enableCommands Parameters Command History Examplepnic show-firmwares Display the available firmwarepnic capture-on pnic capture-offEnable the capturing of packets via direct memory access Syntax Parameters Command History ExampleCommands pnic cardstatusSyntax Parameters Command History Example Commandspnic compilerules pnic default-drop-disableTemporary memory is disabled while the firewall is enabled pnic default-drop-enablepnic diag Parameters Command History ExampleUsage Information Parameters Command History ExampleVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-disable pnic flow-teardown-enablevalue for an IP address pairs pnic getmachashindexEnable MAC rewriting pnic guiDisable MAC rewriting pnic updatemacvalueP-Series Installation and Operation Guide, version pnic gui Command ExampleExample Syntax Command History Example pnic helppnic help output omittedpnic linkup pnic linkdownSyntax Parameters Command History Example CommandsParameters Command History Example pnic loadconfCommands Syntax Parameters Command HistoryCorresponding Parameter Addresspnic loadparams deprecated pnic loadepromspnic loadeproms number pnic loadparams numberCorresponding Parameter AddressCommand History Example Usage Information pnic loadrulesSyntax Parameters pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedUsage Information Related Commands pnic on deprecatedSyntax Parameters Command History Example pnic on deprecatedpnic params pnic passive-mode-disablepnic passive-mode-enable pnic passive-mode-enableCommand Commandspnic restart pnic resetconfSyntax Parameters Command History Example Stop capturing and matchingDisable the network interface pnic sguil-sensor-startEnable the network interface Syntax Command History ExampleSyntax Parameters Command History Example Stop the Sguil sensor using the command pnic sguil-sensor-stopCommands pnic sguil-sensor-start -fSyntax Parameters Command History Example pnic sguil-sensor-stopCommands pnic sguil-sensor-start Start the Sguil sensorpnic show-firmwares pnic showconfSyntax Parameters Command History Example CommandsCommand History Example pnic showtechCommands Syntax Parameters Command HistoryLoad the capture/block configuration Load the runtime parameters pnic startEnable the network interface Disable the network interface using the command pnic stopEnable the network interface pnic stopCommands Syntax Parameters Command History Examplepnic temp-mem-enable pnic temp-mem-disableUse this command with the MAC rewrite feature pnic updatemacvaluepnic temp-mem-disable Enable MAC rewritingpnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-disable pnic vlan-remove-enablepnic web-gui-start pnic versionDisable the web server using the command pnic web-gui-stop Display the driver versionpnic web-gui-stop Enable the web server using the command pnic web-gui-startCommands Commandpnic web-gui-start CommandsExample RelatedAppendix A Snort Keywords Appendix Back number dsize number numberKeyword Keyword uricontent ! “datastring”Description Rule SyntaxAppendix B meta Rules Appendix C Meta and Evasion RulesEvasion Rules Appendix C Unix Commands Appendix D Basic Unix CommandsCommand DescriptionCommand vi CommandsDescription ? textGlossary Appendix ESPAN Port SnortState Static RulesAppendix F Accessing iSupport ServicesTechnical Support Manual PagesLocating P-Series Serial Numbers Contacting the Technical Assistance CenterSerial Number see Locating P-Series Serial Numbers on page To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support