cyberoam idp implementation guide...cyberoam idp implementation guide important notice elitecore has...
TRANSCRIPT
Document version 9410-1.0-06/01/2007
Version 9 Cyberoam IDP Implementation Guide
Cyberoam IDP Implementation Guide
IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com , www.cyberoam.com
2
Cyberoam IDP Implementation Guide
Guide Sets
Guide Describes
User Guide Console Guide Console Management Windows Client Guide Installation & configuration of Cyberoam Windows
Client Linux Client Guide Installation & configuration of Cyberoam Linux
Client HTTP Client Guide Installation & configuration of Cyberoam HTTP
Client Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems LDAP Integration Guide Configuration for integrating LDAP with Cyberoam
for external authentication ADS Integration Guide Configuration for integrating ADS with Cyberoam
for external authentication RADIUS Integration Guide Configuration for integrating RADIUS with
Cyberoam for external authentication High Availability Configuration Guide
Configuration of High Availability (HA)
Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing and failover
VPN Management Implementing and managing VPN Cyberoam IDP Implementation Guide
Configuring, implementing and managing Intrusion Detection and Prevention
Cyberoam Anti Virus Implementation Guide
Configuring and implementing anti virus solution
Cyberoam Anti Spam Implementation Guide
Configuring and implementing anti spam solution
3
Cyberoam IDP Implementation Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: [email protected] site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.
4
Cyberoam IDP Implementation Guide
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item Convention Example
Server Machine where Cyberoam Software - Server component is installed
Client Machine where Cyberoam Software - Client component is installed
User The end user Username Username uniquely identifies the user of the system Part titles Bold and
shaded font typefaces Report
Topic titles Shaded font typefaces Introduction
Subtitles Bold & Black typefaces Notation conventions
Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab
Name of a particular parameter / field / command button text
Lowercase italic type
Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked
Cross references
Hyperlink in different color
refer to Customizing User database Clicking on the link will open the particular topic
Notes & points to remember
Bold typeface between the black borders
Note
Prerequisites Bold typefaces between the black borders
Prerequisite Prerequisite details
5
Cyberoam IDP Implementation Guide
Contents
OVERVIEW .......................................................................................................................................................... 7 IDP ..................................................................................................................................................................... 7 CYBEROAM IDP.................................................................................................................................................. 8
Create IDP Policy......................................................................................................................................... 9 Enable/Disable Category .......................................................................................................................... 11 Signature Configuration ............................................................................................................................ 12 Update IDP policy ...................................................................................................................................... 13 Delete IDP policy........................................................................................................................................ 14 Search IDP Signature................................................................................................................................ 15 Create Custom Signature ......................................................................................................................... 16 Update Custom Signature ........................................................................................................................ 18 Delete Custom Signature.......................................................................................................................... 20 Custom Signature syntax.......................................................................................................................... 21 Monitoring IDP............................................................................................................................................ 26 Manage IDP ................................................................................................................................................ 27
6
Cyberoam IDP Implementation Guide
Overview Welcome to Cyberoam’s – IDP Implementation guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam’s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Cyberoam is a real time intrusion detection and prevention system that protects your network from known and unknown attacks by worms and viruses, hackers and other internet risks. Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through. IDP module is an add-on module, which needs to be subscribed before use. Refer to Licensing section for details on registration.
IDP An IDP system is a type of security management system that gathers and analyzes information from a network to identify possible security breaches, which include both intrusions - attacks from outside the organization and misuse - attacks from within the organization. IDP detects and/or prevents malicious activity such as denial of service attacks, port-scans or even attempts to crack into computers by monitoring network traffic. To detect such activity, IDPs use Signatures. Whenever the matching traffic pattern to Signature is found, IDP triggers the alarm and blocks the traffic in reaching its destination. Standard IDP allows defining a global policy that can be applied to source-destination networks/hosts/ports combination. This global policy can be modified or tuned as per the requirement but cannot be tailored per network or per host. As global policy is a general policy for all, standard IDPs generate high amount of false positives and this makes it difficult to pinpoint the host generating malicious traffic or vice verse. Fine tuning global policy means disabling set of signatures for all the networks/hosts. However, this may not be a fit-for-all policy, hence might reduce false positives from one network while increase from another and may not even detect certain obvious malicious activity.
7
Cyberoam IDP Implementation Guide
Cyberoam IDP Cyberoam IDP also uses Signatures to identify the malicious activity on the network but instead of providing only one policy (global) for managing multiple networks/hosts, allows to tailor the policy per network/host i.e. allows to defining multiple policies for managing multiple networks/hosts. Cyberoam IDP consists of a signature engine with a predefined database of signatures. The signatures included with the Cyberoam cannot be modified. As per your network requirements, Cyberoam allows you to define multiple policies instead of one global policy, to decrease packet latency and reduce false positives. Policy allows you to view Cyberoam predefined signatures and customize the intrusion prevention configuration at the category as well as individual signature level. Categories are signatures grouped together based on the application and protocol vulnerabilities. Each IDP policy contains a set of signatures that the Cyberoam searches for, and log and block and allows to: • Enable or disable category from IDP protection • Enable or disable individual signature in a category to tailor IDP protection based on your
network environment • Define the action to be taken when the matching traffic pattern is found. Cyberoam can either
detect or drop the connection. In either of the case, Cyberoam generates the log and alerts the Network Administrator.
To enable the intrusion detection and prevention functionality, apply the policy using firewall rule. You can create rule to apply • single policy for all the user/networks • different policies for different users/networks or hosts
As firewall rules control all traffic passing through the Cyberoam and decides whether to allow or drop the connection, IDP policy will be applied to only that traffic/packet which firewall passes.
8
Cyberoam IDP Implementation Guide
Create IDP Policy
Create and deploy IDP policies to block malicious or suspicious traffic and increase security productivity. Policy allows you to view Cyberoam-IDP signatures and configure the handling of signatures by category or on a signature-by-signature basis. Select IDP Policy Create to open the create IDP policy page
Screen – Create IDP policy
Screen Elements Description
Create IDP policy Name Specify policy name. Choose a name that best describes the policy
Allows maximum of 60 characters Can be any combination of A – Z, a – z, ‘_’, 0 - 9 Space between any characters is not allowed
Policy Description Specify full description of the policy Create button Creates policy. On successful creation of policy, define what action
9
Cyberoam IDP Implementation Guide
Screen Elements Description
is to be taken when traffic matches with any of the signatures. By default, all the categories are enabled but individual signatures within the category are set to ‘Detect’ or ‘Drop’ mode. Refer ‘Enable/Disable Category’ to enable or disable any individual category. Refer ‘Signature Configuration’ to configure individual signature within the category for intrusion prevention and detection.
Cancel button Cancels the current operation and returns to Manage IDP policy page
Table – Create IDP policy screen elements
10
Cyberoam IDP Implementation Guide
Enable/Disable Category
Select IDP Policy Manage to view the list of policies created Click the policy for which you want to enable/disable category
Click Edit mark against the Category to enabled/disabled.
Green check mark indicates that the Category is enabled
Red Cross indicates that the category is disabled
Screen – Enable/Disable Category
Screen Elements Description
Edit IDP Category Category Displays Category name Policy Displays Policy to which the Category will be enabled/disabled Enabled Select ‘ON’ to include the category for detection and prevention.
Select ‘OFF’ to exclude the category from detection and prevention. Excluding the category is same as not implementing IDP for the particular category. Refer ‘Signature Configuration’ to set the IDP mode for individual signature within the category.
Save button Saves the settings Cancel button Cancels the current operation and returns to Manage IDP policy page
Table – Enable/Disable Category screen elements
11
Cyberoam IDP Implementation Guide
Signature Configuration
Select IDP Policy Manage to view the list of policies created Click the policy for which you want to configure signature
Click next to the Category name for which the Signature is to be configured. It displays the list of signatures. It displays the list of signatures included in the category and what action Cyberoam will take if the signature is identified. Click Signature Name to view the details of the Signature Green check mark indicates that the Signature is enabled Red Cross indicates that the Signature is disabled Click Edit mark against the Signature to be configured to configure the signature
Screen Elements Description
Configure Signature Signature Displays Signature name Policy Displays Policy name Enabled To perform Intrusion prevention and detection i.e. to take action if
signature is detected, you need to enable Signature. Select ‘ON’ to include the Signature for detection and prevention Select ‘OFF’ to exclude the Signature from detection and prevention process
IDP mode (Only if Enabled is ‘ON’)
Set the IDP mode (detect and drop) for the signature to suit your needs. Drop mode If the matching traffic pattern is detected, Cyberoam logs the details, gives the alert to the Administrator and drops the packets that triggered the IDP, resets the connection and prevents the traffic to reach its destination. Detect mode If the matching traffic pattern is detected, Cyberoam logs the details and gives alert to the Administrator, but does not take any action against the traffic and the connection proceeds to its intended destination.
Save button Saves the settings Cancel button Cancels the current operation and returns to Manage IDP policy
page Table – Configure Signature screen elements
12
Cyberoam IDP Implementation Guide
Update IDP policy
Use to • Enable/Disable Category • Configure Individual Signature
Select IDP → Policy → Manage and click Policy name to be modified
Screen – Update IDP policy screen
Screen Elements Description
Edit IDP policy Name Displays policy name Policy Description Displays full description of the policy, modify if required. Displays list enabled and disabled Categories for the policy
Refer to Enable/Disable Category for details. If the category is disabled, it will not be included in prevention and detection of Intrusions. Click next to the Category name for which the Signature is to be configured. It displays the list of signatures in the Category. Refer to Configure Signatures to enable/disable and set IDP mode for individual signature within the category.
Save button Updates and saves policy description Cancel button Cancels the current operation and returns to Manage IDP policy page
Table – Update IDP policy screen elements
13
Cyberoam IDP Implementation Guide
Delete IDP policy
Select IDP → Policy → Manage to view list of policies
Screen – Delete IDP policy screen
Screen Elements Description
Del Select policy for deletion Click Del to select More than one policy can also be selected
Select All Select all the policies for deletion Click Select All to select all the policies
Delete button Deletes all the selected policy/policies Table - Delete IDP policy screen element
14
Cyberoam IDP Implementation Guide
Search IDP Signature
You can search the signature database by entering the signature ID or Signature name. Search result displays: • Signature ID as defined by Cyberoam • Signature name and category in which signature is included by Cyberoam • Whether Signature is enabled for use or not • Proposed action by Cyberoam - what action should be taken on detecting matching traffic
pattern. The proposed action is set by Cyberoam cannot be modified. • Action – What action was taken when matching pattern was found. What action to take is
specified in the policy. If proposed action and action specified in the policy is different then the action specified in the policy is taken i.e. action specified in the policy overrides proposed action.
Screen – Search Signature
Screen – Search Result
15
Cyberoam IDP Implementation Guide
Create Custom Signature
Custom signatures provide the flexibility to customize IDP for diverse network environments. Default signatures included in Cyberoam cover common attacks while custom signatures protect your network from uncommon attacks that are due to the use of proprietary server, custom protocol, or specialized applications used in the corporate network. Create custom signature to define custom IDP signatures for your own network and use to allow or block specific traffic. Select IDP → Custom Signature → Create
Screen – Create Custom Signature
16
Cyberoam IDP Implementation Guide
Screen Elements Description
Custom Signature Custom Signature Name
Specify signature name. Choose a name that best describes the signature
Protocol Specify protocol Custom Rule Specify signature
Signature definition must begin with keyword followed by the value enclosed between the double quotes and must end with semicolon (;) Format: Keyword:”value”; E.g. content:”USER JOHN”; If traffic with the content USER JOHN is detected, action defined in the policy will be taken.
Severity Specify severity level of the signature. Severity levels can be: Severity level can be Warning, Minor, Moderate, Major, or Critical
Custom Signature Mode Custom Signature mode
Select Default Mode. Mode decides what action to take if the pattern matching to the Signature is found. By default, mode is ‘OFF’ disabled for all the policies. The default mode selected will be applicable for all the IDP policies. You can override the default mode of the signature for the each IDP policy. Select ‘OFF’ to exclude signature from detection and/or prevention process Drop mode If any traffic that matches the signature is detected, Cyberoam logs the details, gives the alert to the Administrator, and automatically drops the packets that triggered IDP, resets the connection and prevents the traffic to reach its destination. Detect mode If any traffic that matches the signature is detected, Cyberoam logs the details and gives alert to the Administrator, but does not take any action against the traffic and the connection proceeds to its intended destination.
Override Policy Mode Displays complete list of policies Override Policy mode For each policy, set what action should be taken if traffic matching
to the signature is found Description Policy Description Specify full description of the policy Create button Creates signature. On successful creation of signature, define what
action is to be taken when traffic matches with the signature. Cancel button Cancels the current operation and returns to Manage IDP policy
page Table – Create Custom Signature screen elements
Note
17
Cyberoam IDP Implementation Guide
Custom signatures are an advanced feature that required through Networking knowledge and previous experience creating intrusion detection signatures.
Update Custom Signature
Select IDP → Custom Signature → Manage to view list of policies
Screen – Edit Custom Signature
Screen Elements Description
Custom Signature Custom Signature Name
Displays signature name, modify if required
Protocol Displays protocol for which signature is created, modify if required
18
Cyberoam IDP Implementation Guide
Screen Elements Description
Custom Rule Displays signature, modify if required Signature definition must begin with keyword followed by the value enclosed between the double quotes and must end with semicolon (;) Format: Keyword:”value”; E.g. content:”USER JOHN”; If traffic with the content USER JOHN is detected, action defined in the policy will be taken. Refer to Custom Signature Syntax for more details
Severity Displays severity level of the signature, modify if required Severity levels can be: Severity level can be Warning, Minor, Moderate, Major, or Critical
Custom Signature Mode Custom Signature mode
Display Default Mode, modify if required. Mode decides what action to take if the pattern matching to the Signature is found. By default, mode is ‘OFF’ disabled for all the policies. The default mode selected will be applicable for all the IDP policies. You can override the default mode of the signature for the each IDP policy. Select ‘OFF’ to exclude signature from detection and/or prevention process Drop mode If any traffic that matches the signature is detected, Cyberoam logs the details, gives the alert to the Administrator, and automatically drops the packets that triggered IDP, resets the connection and prevents the traffic to reach its destination. Detect mode If any traffic that matches the signature is detected, Cyberoam logs the details and gives alert to the Administrator, but does not take any action against the traffic and the connection proceeds to its intended destination.
Override Policy Mode Displays complete list of policies Override Policy mode For each policy, set what action should be taken if traffic matching
to the signature is found Description Policy Description Displays full description of the policy, modify if required Save button Saves the modified details Cancel button Cancels the current operation and returns to Manage IDP policy
page Table – Edit Custom Signature screen elements
19
Cyberoam IDP Implementation Guide
Delete Custom Signature
Select IDP → Custom Signature → Manage to view list of signatures
Screen – Delete Custom Signature screen elements
Screen Elements Description
Del Select signature for deletion Click Del to select More than one signature can also be selected
Select All Select all the signature for deletion Click Select All to select all the signature
Delete button Deletes all the selected signature(s) Table – Delete Custom Signature screen elements
20
Cyberoam IDP Implementation Guide
Custom Signature syntax
Keyword Value Usage
srcaddr/dstaddr
<ipaddress>; The source/destination IP address
srcport/dstport
<Number>; The source/destination port
content "<content string>"; A string quoted within double quotes.
Multiple contents can be specified in one rule. The value can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character.
nocase Can be used with content keyword only
NULL Ignore case in the content value
rawbytes Can be used with content keyword only
NULL Ignore any decoding. Look at the raw packet data
depth Can be used with content keyword only
<number>; e.g. depth:5;
Look for the contents within the specified number of bytes of the payload. If the value of the depth keyword is smaller than the length of the value of the content keyword, this signature will never be matched
offset Can be used with content keyword only
<number>; e.g. content:”cgi-bin/phf”;offset:4;depth:20;
Start looking for the contents after the specified number of bytes of the payload. This tag is an absolute value in the payload. Follow the offset tag with the depth tag to stop looking for a match after the value specified by the depth tag. If there is no depth specified, continue looking for a match until the end of the payload.
distance Can be used with content keyword only
<number>; For example content :"ABC";content:"DEF"; distance:1;
Search for the contents the specified number of bytes relative to the end of the previously matched contents. The distance tag could be followed with the within tag. If there is no value specified for the within tag, continue looking for a match until the end of the payload.
within Can be used with content keyword only
<number>; For example content:"ABC";content:"DEF";within:10;
Look for the contents within the specified number of bytes of the payload. Use with the distance tag.
21
Cyberoam IDP Implementation Guide
uricontent uricontent:<content string>; For example uricontent:"%3F";
Search for the normalized request URI field. Binary data can be defined as the URI value.
isdataat <value> [,relative]; For example content:"PASS";isdataat:50,relative;
Verify that the payload has data at a specified location. Optionally look for data relative to the end of the previous content match.
pcre pcre:[!]"(/<regex>/|m/<regex>/)[ismxAEGRUB]"; For example pcre:"/BLAH/i";
The pcre keyword allows rules to be written using perl compatible regular expressions. i - Case insensitive s - Include newlines in the dot metacharacter m - By default, the string is treated as one big line of characters ^ and $ match at the start and end of the string. When m is set, ^ and $ match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer. x - Whitespace data characters in the pattern are ignored except when escaped or inside a character class A - The pattern must match only at the start of the buffer (same as ^ ) E - Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline (but not before any other newlines) G - Inverts the "greediness" of the quantifiers so that they are not greedy by default, but become greedy if followed by "?" R - Match relative to the end of the last pattern match (similar to distance:0;) U Match the decoded URI buffers (similar to the uri keyword) B Do not use the decoded buffers (similar to the raw keyword).
byte_test <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; oct,dec,hex used with string only For example msg:"AMD procedure 7 plog overflow"; content:"|00 04 93 F3|";content:"|00 00 00 07|"; distance:4.within:4;byte_test:4,>,1000,20,relative;
Test a byte field against a specific value (with operator). Capable of testing binary values or converting representative byte strings to their binary equivalent and testing them. bytes_to_convert - The number of bytes to pick up from the packet operator - The operation to perform to test the value (<,>,=,!,&) value - The value to test the converted value against
22
Cyberoam IDP Implementation Guide
offset - The number of bytes into the payload to start processing relative - Use an offset relative to last pattern match big - Process the data as big endian (default) little - Process the data as little endian string - The data is stored in string format in the packet hex - The converted string data is represented in hexadecimal dec - The converted string data is represented in decimal oct - The converted string data is represented in octal
byte_jump <bytes_to_convert>, <offset> [,relative] [,multiplier <multiplier value>] [,big] [,little][,string] [,hex] [,dec] [,oct] [,align] [,from_beginning]; oct,dec,hex used with string only For example content:"|00 00 00 01|";distance:4;within:4; byte_jump:4,12,relative,align
bytes_to_convert - The number of bytes to pick up from the packet multiplier value - multiply the number of calculated bytes by value and skip forward that number of byte operator - The operation to perform to test the value (<,>,=,!,&) value - The value to test the converted value against offset - The number of bytes into the payload to start processing relative - Use an offset relative to last pattern match big - Process the data as big endian (default) little - Process the data as little endian string - The data is stored in string format in the packet hex - The converted string data is represented in hexadecimal dec - The converted string data is represented in decimal oct - The converted string data is represented in octal align – round the number of converted bytes upto the next 32 bit boundary from_beginning – Skip forward from the
23
Cyberoam IDP Implementation Guide
beginning of the packet payload instead of from the current position in the packet
ttl <number>; ><number>; <<number>;
Check the IP time-to-live value against the specified value
tos <number>; Check the IP TOS field for the specified Value
id <number>; Check the IP ID field for the specified Value
ipopts {rr | eol | nop | ts | sec | lsrr | ssrr | satid | any}
rr - Check if IP RR (record route) option is Present ool - Check if IP EOL (end of list) option is present nop - Check if IP NOP (no op) option is present ts - Check if IP TS (time stamp) option is present sec - Check if IP SEC (IP security) option is present lsrr - Check if IP LSRR (loose source routing) option is present ssrr - Check if IP SSRR (strict source routing) option is present satid - Check if IP SATID (stream identifier) option is present any - Check if IP any option is present
fragoffset <number>; Allows to compare the IP fragment offset field against the decimal value
fragbits [+*!]<[MDR]>;
Check if IP fragmentation and reserved bits are set in the IP header. M - The More Fragments bit D - The Don't Fragment bit R - The Reserved Bit + - Match on the specified bits, plus any others * - Match if any of the specified bits are set ! - Match if the specified bits are not set
dsize [<|>] <number>[ <> number]; For example dsize:300<>400;
Test the packet payload size. With data_size specified, packet reassembly is turned off automatically so a signature with data_size and only_stream values set is wrong. dsize will fail on stream rebuilt packets, regardless of the size of the payload
flags [!|*|+]<FSRPAU120>[,<FSRP AU120>];
Specify the TCP flags to match in a packet. S - Match the SYN flag
24
Cyberoam IDP Implementation Guide
For example Flags:SF,12
A - Match the ACK flag F - Match the FIN flag R - Match the RST flag U - Match the URG flag P - Match the PSH flag 1 - Match Reserved bit 1
2 - Match Reserved bit 2 0 - Match No TCP flags set + - Match on the specified bits, plus any others * - Match if any of the specified bits are set ! - Match if the specified bits are not set
flow to_client|to_server|from_client | from_server ]; established; bi_direction; [no_stream|only_stream];
TCP only. The to_server value is equal to the from_client value. The to_client value is equal to the from_server value. The bi_direction tag makes the signature match traffic for both directions. For example, if you have a signature with "--dst_port 80", and with bi_direction set, the signature checks traffic from and to port 80.
seq <number>;
Check for the specified TCP sequence number
ack <number>;
Check for the specified TCP acknowledge number
window <number>;
Check for the specified TCP window Size
itype [<|>]<number>[<>number]; Specify the ICMP type to match icode [<|>]<number>[<>number]; Specify the ICMP code to match icmp_id <number>; Check for the specified ICMP ID value icmp_seq <number>;
Check for the specified ICMP sequence Value
rpc <application number>, [<version number>|*], [<procedure number>|*>;
Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wildcard can be used for version and procedure numbers
ip_proto <number>; [!]<number>; ><number>; <<number>;
Check the IP protocol header
samip NULL
The source and the destination have the same IP addresses
25
Cyberoam IDP Implementation Guide
Monitoring IDP
Once the policies and rules are in place, IDP examines all incoming and outgoing packets, looking for matching signatures. All the detected signatures are logged and identified as IDP alerts. Administrator can view the most recent alerts (if any) from the Dashboard. Alert displays date and time of intrusion, IP address of source and destination of the intrusion, signature name and the severity of the intrusion.
Note To access Dashboard, • press F10 from any of the Cyberoam screens OR • press F2 for Home page and click ‘Dashboard’
Screen – IDP Alerts
26
Cyberoam IDP Implementation Guide
Manage IDP
Select IDP Manage IDP to open the page to display the status of the IDP engine. Click Start to start the IDP engine. If you have logged on to the Cyberoam for the first time after IDP module is registered, the status will be ‘Stopped’ and you will need to start the IDP engine. Page also displays the version number and release date of IDP engine used along with the update information like date of last attempt for updating IDP engine and whether the update was successful or not. IDP Engine is updated automatically. IDP signatures database is updated automatically once in a day.
27