Symantec 10268947 User Guide - Page 88
the network, independent of the exploit tool. This results in earlier prevention
UPC - 037648243766
View all Symantec 10268947 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 88 highlights
88 Detection Methods About signature detection About Symantec signatures Symantec Network Security uses network pattern matching, or signatures, to provide a powerful layer of detection. Signature detection involves detecting threats by looking for a specific pattern or fingerprint of a known bad or harmful thing. This known-bad pattern is called a signature. These patterns are traditionally based on the observed network behavior of a specific tool or tools. Signature detection operates on the basic premise that each threat has some observable property that can be used to uniquely identify it. This can be based on any property of the particular network packet or packets that carry the threat. In some cases, this may be a literal string of characters found in one packet, or it may be a known sequence of packets that are seen together. In any case, every packet is compared against the pattern. Matches trigger an alert, while failure to match is processed as non-threatening traffic. Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone. Symantec Network Security's high performance is maintained by matching against the smallest set of signatures as is possible given the current context. Since many threats are detected and refined through the PAD functionality, Symantec Network Security minimizes the set of required signatures to maximize performance. Symantec Network Security also uses methods of rapid response in creating signatures that detect attempts to exploit new vulnerabilities as soon as they hit the network, independent of the exploit tool. This results in earlier prevention of threats and more complete coverage. About user-defined signatures The Network Security console provides a way to configure and enable additional user-defined signatures on a per-sensor basis, as well as global signature variables, such as creating the variable name port to stand for a value of 2600. User-defined signatures are synchronized across clusters so that each node has the title, severity, and definition of the user-defined signature. SuperUsers can create, define, edit, and delete user-defined signatures. All users can view them. Note: Both StandardUsers and RestrictedUsers can view user-defined signatures, but cannot add, edit, or delete them.