Cyberoam IPS Implementation Guide

Cyberoam IPS
Implementation Guide
Version 9
Document version 95824-1.0-17/12/2008
Cyberoam IPS Implementation Guide
IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without
warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore
assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make
changes in product design or specifications. Information is subject to change without notice.
USERS LICENSE
The Appliance described in this document is furnished under the terms of Elitecores End User license agreement. Please
read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the
terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance
and manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which
the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software
substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited
warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore
and its suppliers under this warranty will be, at Elitecore or its service centers option, repair, replacement, or refund of the
software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore
warrant that the Software is error free, or that the customer will be able to operate the software without problems or
interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and
Commtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It is
specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not
occasionally erroneously report a virus in a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical
components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole
obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware
need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any
part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all
material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without
limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of
dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential,
incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to
use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall
Elitecores or its suppliers liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the
price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including,
without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or
its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 1999-2008 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore
Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-26405600
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item
Convention
Server
Machine where Cyberoam Software - Server component is

installed
Machine where Cyberoam Software - Client component is
installed
The end user
Username uniquely identifies the user of the system
Client
User
Username
Part titles
Topic titles
Example
Bold and
shaded font
typefaces
Shaded font
typefaces
Report
Introduction
Subtitles
Bold & Black

typefaces
Navigation link
Bold typeface
Group Management Groups Create

it means, to open the required page click on Group
management then on Groups and finally click Create tab
Name of a
particular
parameter /
field / command
button text
Cross
references
Lowercase
italic type
Enter policy name, replace policy name with the specific

name of a policy
Or
Click Name to select where Name denotes command button
text which is to be clicked
refer to Customizing User database Clicking on the link will
open the particular topic
Notes & points

to remember
Bold typeface
between the
black borders
Bold typefaces
between the
black borders
Prerequisites
Hyperlink in
different color
Notation conventions
Note
Prerequisite
Prerequisite details

Contents
Technical Support ............................................................................................................ 3

Typographic Conventions................................................................................................. 4
Notation conventions ........................................................................................................ 4
Overview ................................................................................................................ 6
IPS .......................................................................................................................... 6
Cyberoam IPS ........................................................................................................ 8
Create IPS Policy ............................................................................................................. 9
Enable/Disable Category................................................................................................ 11
Signature Configuration.................................................................................................. 12
Update IPS policy........................................................................................................... 14
Delete IPS policy ............................................................................................................ 15
Search IPS Signature ..................................................................................................... 16
Create Custom Signature ............................................................................................... 17
Update Custom Signature .............................................................................................. 19
Delete Custom Signature ............................................................................................... 21
Custom Signature syntax ............................................................................................... 22
Monitoring IPS ................................................................................................................ 27
Manage IPS.................................................................................................................... 28
Overview
Welcome to Cyberoams IPS Implementation guide.
Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the
security needs of corporates, government organizations, and educational institutions.
Cyberoams perfect blend of best-of-breed solutions includes user based Firewall, Content filtering,
Anti Virus, Anti Spam, Intrusion Detection and Prevention (IPS), and VPN.
Cyberoam provides increased LAN security by providing separate port for connecting to the
publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are
visible the external world and still have firewall protection.
Cyberoam is a real time intrusion detection and prevention system that protects your network from
known and unknown attacks by worms and viruses, hackers and other internet risks.
Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks from
reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your
mail server or any other attack - it simply does not get through.
IPS module is an subscription module, which needs to be subscribed before use.
From version 9.5.8, Cyberoams Intrusion Detection & Prevention (IDP) feature has been
renamed as Cyberoam Intrusion Prevention System (IPS) to better reflect the
comprehensive capabilities of addressing intrusions. The change in name is a step forward
to communicate our robust intrusion prevention capabilities in an industry-standard
language.
To reflect the change, Web Admin Console menus, submenus and screens are also
replaced with "IPS". Please read IDP as IPS in the screen shots and images included in
the guide.
IPS
An IPS system is a type of security management system that gathers and analyzes information
from a network to identify possible security breaches, which include both intrusions - attacks from
outside the organization and misuse - attacks from within the organization.
IPS detects and/or prevents malicious activity such as denial of service attacks, port-scans or even
attempts to crack into computers by monitoring network traffic.
To detect such activity, IPSs use Signatures. Whenever the matching traffic pattern to Signature is
found, IPS triggers the alarm and blocks the traffic in reaching its destination.
Standard IPS allows defining a global policy that can be applied to source-destination
networks/hosts/ports combination. This global policy can be modified or tuned as per the
requirement but cannot be tailored per network or per host.
As global policy is a general policy for all, standard IPSs generate high amount of false positives
and this makes it difficult to pinpoint the host generating malicious traffic or vice verse.
Fine tuning global policy means disabling set of signatures for all the networks/hosts. However,
this may not be a fit-for-all policy, hence might reduce false positives from one network while
increase from another and may not even detect certain obvious malicious activity.
Cyberoam IPS
Cyberoam IPS also uses Signatures to identify the malicious activity on the network but instead of
providing only one policy (global) for managing multiple networks/hosts, allows to tailor the policy
per network/host i.e. allows to defining multiple policies for managing multiple networks/hosts.
Cyberoam IPS consists of a signature engine with a predefined database of signatures. Predefined signatures are not editable.
As per your network requirements, Cyberoam allows you to define multiple policies instead of one
global policy, to decrease packet latency and reduce false positives.
Policy allows you to view Cyberoam predefined signatures and customize the intrusion prevention
configuration at the category as well as individual signature level. Categories are signatures
grouped together based on the application and protocol vulnerabilities.
Each IPS policy contains a set of signatures that the Cyberoam searches for, and log and block
and allows to:
Enable or disable category from IPS protection
Enable or disable individual signature in a category to tailor IPS protection based on your
network environment
Define the action to be taken when the matching traffic pattern is found. Cyberoam can either
detect or drop the connection. In either of the case, Cyberoam generates the log and alerts
the Network Administrator.
To enable the intrusion detection and prevention functionality, apply the policy using firewall rule.
You can create rule to apply
single policy for all the user/networks
different policies for different users/networks or hosts
As firewall rules control all traffic passing through the Cyberoam and decides whether to allow or
drop the connection, IPS policy will be applied to only that traffic/packet which firewall passes.
Create IPS Policy

Create and deploy IPS policies to block malicious or suspicious traffic and increase security
productivity.
Policy allows you to view Cyberoam-IPS signatures and configure the handling of signatures by
category or on a signature-by-signature basis.
Select IPS Policy Create to open the create IPS policy page
Screen Create IPS policy
Screen Elements
Create IPS policy
Name
Policy Description
Create button
Description
Specify policy name. Choose a name that best describes the policy
Specify full description of the policy
Creates policy. On successful creation of policy, define what action
is to be taken when traffic matches with any of the signatures.
By default, all the categories are enabled but individual signatures
within the category are set to Detect or Drop mode.
Refer Enable/Disable Category to enable or disable any individual

category.
Cancel button
Refer Signature Configuration to configure individual signature

within the category for intrusion prevention and detection.
Cancels the current operation and returns to Manage IPS policy
page
Table Create IPS policy screen elements
10
Enable/Disable Category
Select IPS Policy Manage to view the list of policies created
Click the policy for which you want to enable/disable category
Click Edit mark
Green check mark
Red Cross
against the Category to enabled/disabled.

indicates that the Category is enabled
indicates that the category is disabled
Screen Enable/Disable Category
Screen Elements
Description
Edit IPS Category

Category
Policy
Enabled
Displays Category name

Displays Policy to which the Category will be enabled/disabled
Select ON to include the category for detection and prevention.
Select OFF to exclude the category from detection and prevention.
Excluding the category is same as not implementing IPS for the
particular category.
Save button
Cancel button
Refer Signature Configuration to set the IPS mode for individual

signature within the category.
Saves the settings
Cancels the current operation and returns to Manage IPS policy page
Table Enable/Disable Category screen elements
11
Signature Configuration
Select IPS Policy Manage to view the list of policies created
Click the policy for which you want to configure signature
next to the Category name for which the Signature is to be configured. It displays the list
Click
of signatures. It displays the list of signatures included in the category and what action Cyberoam
will take if the signature is identified.
Click Signature Name to view the details of the Signature
Green check mark indicates that the Signature is enabled
Red Cross indicates that the Signature is disabled
Click Edit mark against the Signature to be configured to configure the signature
Screen Elements
Configure Signature
Signature
Policy
Enabled
Description
Displays Signature name
Displays Policy name
To perform Intrusion prevention and detection i.e. to take action if
signature is detected, you need to enable Signature.
Select ON to include the Signature for detection and prevention
Select OFF to exclude the Signature from detection and prevention
process
12
IPS mode
(Only if Enabled is
ON)
Set the IPS mode (detect and drop) for the signature to suit your
needs.
Drop mode
If the matching traffic pattern is detected, Cyberoam logs the
details, gives the alert to the Administrator and drops the packets
that triggered the IPS, resets the connection and prevents the traffic
to reach its destination.
Detect mode
If the matching traffic pattern is detected, Cyberoam logs the details
and gives alert to the Administrator, but does not take any action
against the traffic and the connection proceeds to its intended
destination.
Save button
Cancel button
Saves the settings

page
Table Configure Signature screen elements
13
Update IPS policy

Use to
Enable/Disable Category
Configure Individual Signature
Select IPS Policy Manage and click Policy name to be modified
Screen Update IPS policy screen
Screen Elements
Edit IPS policy
Name
Policy Description
Description
Displays policy name
Displays full description of the policy, modify if required.
Displays list enabled and disabled Categories for the policy
Refer to Enable/Disable Category for details. If the category is disabled,
it will not be included in prevention and detection of Intrusions.
next to the Category name for which the Signature is to be
Click
configured. It displays the list of signatures in the Category.
Save button
Cancel button
Refer to Configure Signatures to enable/disable and set IPS mode for

individual signature within the category.
Updates and saves policy description
Table Update IPS policy screen elements
14
Delete IPS policy

Select IPS Policy Manage to view list of policies
Screen Delete IPS policy screen
Screen Elements
Description
Del
Select policy for deletion

Click Del to select
Select All
Delete button
More than one policy can also be selected

Select all the policies for deletion
Click Select All to select all the policies
Deletes all the selected policy/policies
Table - Delete IPS policy screen element
15
Search IPS Signature

You can search signature database by signature ID or signature name. If policy is not specified in
the search criteria, search result will not display the action that will be taken when matching pattern
is found.
Search result displays:
Signature ID as defined by Cyberoam
Signature name and category in which signature is included by Cyberoam
Whether Signature is enabled for use or not. Because signature is enabled from the IPS policy,
Enabled field will be blank if IPS policy is not specified in the search criteria.
Proposed action by Cyberoam The proposed action is set by Cyberoam cannot be modified.
It is the default action that will be taken by Cyberoam when matching traffic pattern is detected.
Action It is the action that is specified in the IPS policy and will be taken by Cyberoam when
matching traffic pattern is detected. If the proposed action and action specified in the policy
differ then the action specified in the policy is taken i.e. action specified in the policy overrides
proposed action. As action is specified in the IPS policy, Action field will be blank if IPS policy
is not specified in the search criteria.
Screen Search Signature
Screen Search Result
16
Create Custom Signature

Custom signatures provide the flexibility to customize IPS for diverse network environments.
Default signatures included in Cyberoam cover common attacks while custom signatures protect
your network from uncommon attacks that are due to the use of proprietary server, custom
protocol, or specialized applications used in the corporate network.
Create custom signature to define custom IPS signatures for your own network and use to allow or
block specific traffic.
Select IPS Custom Signature Create
Screen Create Custom Signature
17
Screen Elements
Description
Custom Signature
Custom Signature
Name
Protocol
Custom Rule
Specify signature name. Choose a name that best describes the

signature
Specify protocol
Specify signature
Signature definition must begin with keyword followed by the value
enclosed between the double quotes and must end with semicolon (;)
Severity
Format: Keyword:value;
E.g. content:USER JOHN;
If traffic with the content USER JOHN is detected, action defined in
the policy will be taken.
Specify severity level of the signature. Severity levels can be: Severity
level can be Warning, Minor, Moderate, Major, or Critical
Custom Signature Mode

Custom Signature
Select Default Mode. Mode decides what action to take if the pattern
mode
matching to the Signature is found.
By default, mode is OFF disabled for all the policies.
The default mode selected will be applicable for all the IPS policies.
You can override the default mode of the signature for the each IPS
policy.
Select OFF to exclude signature from detection and/or prevention

process
Drop mode
If any traffic that matches the signature is detected, Cyberoam logs
the details, gives the alert to the Administrator, and automatically
drops the packets that triggered IPS, resets the connection and
prevents the traffic to reach its destination.
Detect mode
the details and gives alert to the Administrator, but does not take any
action against the traffic and the connection proceeds to its intended
destination.
Override Policy Mode
Displays complete list of policies
Override Policy mode
For each policy, set what action should be taken if traffic matching to
the signature is found
Description
Policy Description
Specify full description of the policy
Create button
Creates signature. On successful creation of signature, define what
action is to be taken when traffic matches with the signature.
Cancel button
Table Create Custom Signature screen elements
Note
Custom signatures are an advanced feature that required through Networking knowledge and
previous experience creating intrusion detection signatures.
18
Update Custom Signature

Select IPS Custom Signature Manage to view list of policies
Screen Edit Custom Signature
Screen Elements
Custom Signature
Custom Signature
Name
Protocol
Custom Rule
Description
Displays signature name, modify if required
Displays protocol for which signature is created, modify if required
Displays signature, modify if required
19
Signature definition must begin with keyword followed by the value

enclosed between the double quotes and must end with semicolon
(;)
Format: Keyword:value;
E.g. content:USER JOHN;
If traffic with the content USER JOHN is detected, action defined in
the policy will be taken.
Severity
Refer to Custom Signature Syntax for more details

Displays severity level of the signature, modify if required
Severity levels can be: Severity level can be Warning, Minor,
Moderate, Major, or Critical
Custom Signature Mode

Custom Signature
Display Default Mode, modify if required. Mode decides what action
mode
to take if the pattern matching to the Signature is found.
By default, mode is OFF disabled for all the policies.
The default mode selected will be applicable for all the IPS policies.
You can override the default mode of the signature for the each IPS
policy.
Select OFF to exclude signature from detection and/or prevention

process
Drop mode
the details, gives the alert to the Administrator, and automatically
drops the packets that triggered IPS, resets the connection and
prevents the traffic to reach its destination.
Detect mode
the details and gives alert to the Administrator, but does not take
any action against the traffic and the connection proceeds to its
intended destination.
Override Policy Mode
Displays complete list of policies
Override Policy mode
For each policy, set what action should be taken if traffic matching
to the signature is found
Description
Policy Description
Displays full description of the policy, modify if required
Save button
Saves the modified details
Cancel button
page
Table Edit Custom Signature screen elements
20
Delete Custom Signature

Select IPS Custom Signature Manage to view list of signatures
Screen Delete Custom Signature screen elements
Screen Elements
Description
Del
Select signature for deletion

Click Del to select
Select All
More than one signature can also be selected

Select all the signature for deletion
Click Select All to select all the signature

Delete button
Deletes all the selected signature(s)
Table Delete Custom Signature screen elements
21
Custom Signature syntax
Keyword
Value
Usage
srcaddr/dst
addr
srcport/dst
port
content
<ipaddress>;
The source/destination IP address
<Number>;
The source/destination port
"<content string>"; A string quoted

within double quotes.
nocase
NULL
Multiple contents can be specified in one rule.

The value can contain mixed text and binary
data. The binary data is generally enclosed
within the pipe (|) character.
Ignore case in the content value
Can
be
used with
content
keyword
only
rawbytes
NULL
Ignore any decoding. Look at the raw packet

data
<number>;
e.g. depth:5;
Look for the contents within the specified

number of bytes of the payload. If the value of
the depth keyword is smaller than the length of
the value of the content keyword, this signature
will never be matched
<number>;
Start looking for the contents after the specified

number of bytes of the payload. This tag is an
absolute value in the payload. Follow the offset
tag with the depth tag to stop looking for a
match after the value specified by the depth
tag. If there is no depth specified, continue
looking for a match until the end of the payload.
Search for the contents the specified number of
bytes relative to the end of the previously
matched contents. The distance tag could be
followed with the within tag. If there is no value
specified for the within tag, continue looking for
a match until the end of the payload.
Can
be
used with
content
keyword
only
depth
Can
be
used with
content
keyword
only
offset
Can
be
used with
content
keyword
only
distance
e.g. content:cgibin/phf;offset:4;depth:20;
Can
be
used with
content
keyword
only
within
For example
Can
be
used with
content
keyword
only
For example
<number>;
content :"ABC";content:"DEF";
distance:1;
<number>;
Look for the contents within the specified

number of bytes of the payload. Use with the
distance tag.
content:"ABC";content:"DEF";within:10;
22
uricontent
uricontent:<content string>;
isdataat
For example
uricontent:"%3F";
<value> [,relative];
pcre
For example
content:"PASS";isdataat:50,relative;
pcre:[!]"(/<regex>/|m/<regex>/)[ismxAE
GRUB]";
For example
pcre:"/BLAH/i";
Search for the normalized request URI field.

Binary data can be defined as the URI value.
Verify that the payload has data at a specified

location. Optionally look for data relative to the
end of the previous content match.
The pcre keyword allows rules to be written
using perl compatible regular expressions.
i - Case insensitive
s - Include newlines in the dot metacharacter
m - By default, the string is treated as one big
line of characters
^ and $ match at the start and end of the string.
When m is set, ^ and $ match immediately
following or immediately before any newline in
the buffer, as well as the very start and very
end of the buffer.
x - Whitespace data characters in the pattern
are ignored except when escaped or inside a
character class
A - The pattern must match only at the start of
the buffer (same as ^ )
E - Set $ to match only at the end of the subject
string. Without E, $ also matches immediately
before the final character if it is a newline (but
not before any other newlines)
G - Inverts the "greediness" of the quantifiers
so that they are not greedy by default, but
become greedy if followed by "?"
R - Match relative to the end of the last pattern
match (similar to distance:0;)
U Match the decoded URI buffers (similar to the
uri keyword)
byte_test
<bytes to convert>, [!]<operator>,

<value>, <offset> [,relative] [,<endian>]
[,<number type>, string];
B Do not use the decoded buffers (similar to

the raw keyword).
Test a byte field against a specific value (with
operator). Capable of testing binary values or
converting representative byte strings to their
binary equivalent and testing them.
oct,dec,hex used with string only

For example
msg:"AMD procedure 7 plog overflow";
content:"|00 04 93 F3|";content:"|00 00
00 07|";
distance:4.within:4;byte_test:4,>,1000,2
0,relative;
bytes_to_convert - The number of bytes to pick

up from the packet
operator - The operation to perform to test the
value (<,>,=,!,&)
value - The value to test the converted value
against
23
offset - The number of bytes into the payload

to start processing
relative - Use an offset relative to last pattern
match
big - Process the data as big endian (default)
little - Process the data as little endian
string - The data is stored in string format in
the packet
hex - The converted string data is represented
in hexadecimal
dec - The converted string data is represented
in decimal
byte_jump
<bytes_to_convert>, <offset>
[,relative] [,multiplier <multiplier value>]
[,big]
[,little][,string]
[,hex] [,dec] [,oct]
[,align] [,from_beginning];
oct - The converted string data is represented

in octal
bytes_to_convert - The number of bytes to pick
up from the packet
multiplier value - multiply the number of
calculated bytes by value and skip forward that
number of byte
oct,dec,hex used with string only

For example
content:"|00 00 00
01|";distance:4;within:4;
byte_jump:4,12,relative,align
operator - The operation to perform to test the

value (<,>,=,!,&)
value - The value to test the converted value
against
offset - The number of bytes into the payload
to start processing
relative - Use an offset relative to last pattern
match
big - Process the data as big endian (default)
little - Process the data as little endian
string - The data is stored in string format in
the packet
hex - The converted string data is represented
in hexadecimal
dec - The converted string data is represented
in decimal
oct - The converted string data is represented
in octal
align round the number of converted bytes
upto the next 32 bit boundary
from_beginning Skip forward from the
24
ttl
tos
<number>;
><number>;
<<number>;
<number>;
id
<number>;
ipopts
{rr | eol | nop | ts | sec | lsrr |

ssrr | satid | any}
beginning of the packet payload instead of from

the current position in the packet
Check the IP time-to-live value against
the specified value
Check the IP TOS field for the specified
Value
Check the IP ID field for the specified
Value
rr - Check if IP RR (record route) option is
Present
ool - Check if IP EOL (end of list) option is
present
nop - Check if IP NOP (no op) option is present
ts - Check if IP TS (time stamp) option is
present
sec - Check if IP SEC (IP security) option is
present
lsrr - Check if IP LSRR (loose source routing)
option is present
ssrr - Check if IP SSRR (strict source routing)
option is present
satid - Check if IP SATID (stream identifier)
option is present
fragoffset
<number>;
fragbits
[+*!]<[MDR]>;
any - Check if IP any option is present

Allows to compare the IP fragment offset field
against the decimal value
Check if IP fragmentation and reserved bits are
set in the IP header.
M - The More Fragments bit
D - The Don't Fragment bit
R - The Reserved Bit
+ - Match on the specified bits, plus any others
* - Match if any of the specified bits are set
dsize
[<|>] <number>[ <> number];

For example
dsize:300<>400;
flags
[!|*|+]<FSRPAU120>[,<FSRP
AU120>];
! - Match if the specified bits are not set

Test the packet payload size. With data_size
specified, packet reassembly is turned off
automatically so a signature with data_size and
only_stream values set is wrong.
dsize will fail on stream rebuilt packets,
regardless of the size of the payload
Specify the TCP flags to match in a packet.
S - Match the SYN flag
25
For example
Flags:SF,12
A - Match the ACK flag

F - Match the FIN flag
R - Match the RST flag
U - Match the URG flag
P - Match the PSH flag
1 - Match Reserved bit 1
2 - Match Reserved bit 2
0 - Match No TCP flags set
+ - Match on the specified bits, plus any others
* - Match if any of the specified bits are set
flow
to_client|to_server|from_client
| from_server ];
established;
bi_direction;
[no_stream|only_stream];
! - Match if the specified bits are not set

TCP only.
The to_server value is equal to the from_client
value.
The to_client value is equal to the from_server
value.
seq
<number>;
ack
<number>;
window
<number>;
itype
icode
icmp_id
icmp_seq
[<|>]<number>[<>number];
[<|>]<number>[<>number];
<number>;
<number>;
rpc
<application number>,
[<version number>|*],
[<procedure number>|*>;
ip_proto
<number>;
[!]<number>;
><number>;
<<number>;
NULL
samip
The bi_direction tag makes the signature match

traffic for both directions. For example, if you
have a signature with "--dst_port 80", and with
bi_direction set, the signature checks traffic
from and to port 80.
Check for the specified TCP sequence
number
Check for the specified TCP
acknowledge number
Check for the specified TCP window
Size
Specify the ICMP type to match
Specify the ICMP code to match
Check for the specified ICMP ID value
Check for the specified ICMP sequence
Value
Check for RPC application, version,
and procedure numbers in SUNRPC
CALL requests. The * wildcard can be
used for version and procedure
numbers
Check the IP protocol header
The source and the destination have

the same IP addresses
26
Monitoring IPS
Once the policies and rules are in place, IPS examines all incoming and outgoing packets, looking
for matching signatures. All the detected signatures are logged and identified as IPS alerts.
Administrator can view the most recent alerts (if any) from the Dashboard.
Alert displays date and time of intrusion, IP address of source and destination of the intrusion,
signature name and the severity of the intrusion.
Note
To access Dashboard,
press F10 from any of the Cyberoam screens OR
press F2 for Home page and click Dashboard
Screen IPS Alerts
27
Manage IPS
Select IPS Manage IPS to open the page to display the status of the IPS engine.
Click Start to start the IPS engine. If you have logged on to the Cyberoam for the first time after
IPS module is registered, the status will be Stopped and you will need to start the IPS engine.
Page also displays the version number and release date of IPS engine used along with the update
information like date of last attempt for updating IPS engine and whether the update was
successful or not.
IPS Engine is updated automatically.
IPS signatures database is updated automatically once in a day.
28

Cyberoam IPS Implementation Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberoam IPS Implementation Guide

Uploaded by

Copyright:

Available Formats

Cyberoam IPS

Document version 95824-1.0-17/12/2008