Symantec 10268947 User Guide - Page 86

86 Detection Methods About sensor detection added to run services on non-standard ports or to ignore ports on which you normally run non-standard protocols, to mitigate common violations of protocol from being falsely reported as events. ■ Signature detection Symantec Network Security provides the functionality to begin detection immediately by applying protection policies. In addition to this initial ability, detection can also be enhanced and tuned to a particular network environment by creating and applying user-defined signatures. ■ Refinement rule detection Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name. New refinement rules are available as part of SecurityUpdates on a periodic basis. Each software or appliance node downloads the refinement rules from LiveUpdate and stores them individually. About sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum performance and sensitivity. They can be tuned to address specific network environments, and each sensor can be set individually to devote it to specific tasks. These parameters perform multiple tasks, such as enabling the collection of flow statistics and full packet data, setting threshold levels for floods, scans, and sweeps, and regulating the percentage of traffic types that the sensor tolerates before it notifies you. The parameters also provide counter-based detection of floods and denial-of-service attacks such as resource reservation and pipe filling, regulate the suppression of duplicate events and enabling asymmetric routing, and enable checksum validation for a variety of traffic types.