subsystem but are acceptable to the target application.
Detection Action
If an Insertion/Evasion Attack is detected with the Insertion/Evasion Protect option enabled,
NetDefendOS automatically corrects the data stream by removing the extraneous data associated
with the attack.
Insertion/Evasion Log Events
The Insertion/Evasion Attack subsystem in NetDefendOS can generate two types of log message:
•
An Attack Detected log message, indicating an attack has been identified and prevented.
•
An Unable to Detect log message when NetDefendOS has been unable to identify potential
attacks when reassembling a TCP/IP stream although such an attack may have been present.
This condition is caused by infrequent and unusually complex patterns of data in the stream.
Recommended Configuration
By default, Insertion/Evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:
•
Increasing throughput - Where the highest throughout possible is desirable, then turning the
option off, can provide a slight increase in processing speed.
•
Excessive False Positives - If there is evidence of an unusually high level of Insertion/Evasion
false positives then disabling the option may be prudent while the false positive causes are
investigated.
6.5.5. IDP Pattern Matching
Signatures
In order for IDP to correctly identify an attack, it uses a profile of indicators, or pattern, associated
with different types of attack. These predefined patterns, also known as signatures, are stored in a
local NetDefendOS database and are used by the IDP module to analyze traffic for attack patterns.
Each IDP signature is designated by a unique number.
Consider the following simple attack example involving an exchange with an FTP server. A rogue
user might try to retrieve the password file "passwd" from an FTP server using the FTP command
RETR passwd. A signature looking for the ASCII text strings RETR and passwd would find a
match in this case, indicating a possible attack. In this example, the pattern is found in plaintext but
pattern matching is done in the same way on pure binary data.
Recognizing Unknown Threats
Attackers who build new intrusions often re-use older code. This means their new attacks can appear
"in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for
these reusable components, with pattern matching looking for building blocks rather than the entire
complete code patterns. This means that "known" threats as well as new, recently released,
"unknown" threats, built with re-used software components, can be protected against.
Signature Advisories
6.5.5. IDP Pattern Matching
Chapter 6. Security Mechanisms
325
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...