D-Link DFL-800-AV-12 User Manual - Page 193
Listing of IDP Groups, Processing Multiple Actions
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 193 highlights
6.5.6. IDP Signature Groups Chapter 6. Security Mechanisms Using Groups Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at the same time when analyzing network traffic. To do this, signatures related to a particular protocol are grouped together. For example, all signatures that refer to the FTP protocol form a group. It is best to specify a group that relates to the traffic being searched than be concerned about individual signatures. For performance purposes, the aim should be to have NetDefendOS search data using the least possible number of signatures. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is the signature Type, the second level the Category and the third level the Sub-Category. The signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type, DB is the Category and MSSQL is the Sub-Category. These 3 signature components are explained below: 1. Signature Group Type The group type is one of the values IDS, IPS or Policy. These types are explained above. 2. Signature Group Category This second level of naming describes the type of application or protocol. Examples are: • BACKUP • DB • DNS • FTP • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of the group and often specifies the application, for example MSSQL. The Sub-Category may not be necessary if the Type and Category are sufficient to specify the group, for example APP_ITUNES. Listing of IDP Groups A listing of IDP groupings can be found in Appendix B, IDP Signature Groups. The listing shows groups names consisting of the Category followed by the Sub-Category since the Type could be any of IDS, IPS or POLICY. Processing Multiple Actions For any IDP rule, it is possible to specify multiple actions and an action type such as Protect can be repeated. Each action will then have one or more signatures or groups associated with it. When signature matching occurs it is done in a top-down fashion, with matching for the signatures for the first action specified being done first. IDP signature wildcarding When selecting IDP signature groups, it is possible to use wildcarding to select more than one group. The"?" character can be used to wildcard for a single character in a group name. Alternatively, the "*" character can be used to wildcard for any set of characters of any length in a 193