•
Intrusion Protection Signatures (IPS)
These are highly accurate and a match is almost certainly an indicator of a threat. Using the
Protect action is recommended. These signatures can detect administrative actions and
security scanners.
•
Intrusion Detection Signatures (IDS)
These can detect events that may be intrusions. They have lower accuracy than IPS and may
give some false positives so it is recommended that the Audit action is always used. Using
them with Protect may interrupt normal traffic.
•
Policy Signatures
These detect different types of application traffic. They can be used to block certain
applications such as file sharing applications and instant messaging.
6.6.6. IDP Signature Groups
Using Groups
Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them
at the same time when analyzing network traffic. To do this, signatures related to a particular
protocol are grouped together. For example, all signatures that refer to the FTP protocol form a
group. It is best to specify a group that relates to the traffic being searched than be concerned
about individual signatures. For performance purposes, the aim should be to have NetDefendOS
search data using the least possible number of signatures.
Specifying Signature Groups
IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is
the signature
Type
, the second level the
Category
and the third level the
Sub-Category
. The
signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the
Type
, DB
is the
Category
and MSSQL is the
Sub-Category
. These 3 signature components are explained
below:
1. Signature Group Type
The group type is one of the values
IDS
,
IPS
or
Policy
. These types are explained above.
2. Signature Group Category
This second level of naming describes the type of application or protocol. Examples are:
•
BACKUP
•
DB
•
DNS
•
FTP
•
HTTP
3. Signature Group Sub-Category
The third level of naming further specifies the target of the group and often specifies the
Chapter 6: Security Mechanisms
558
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...