SnapGear 2.0.1 User Manual
Page 96
Intrusion Detection
92
Several shortcut buttons also provide pre-defined lists of services to monitor. The basic
button installs a bare bones selection of ports to monitor while still providing sufficient
coverage to detect many intruder scans. The standard option extends this coverage by
introducing additional monitored ports for early detection of intruder scans. The strict
button installs a comprehensive selection of ports to monitor and should be sufficient to
detect most scans.
Warning
The list of network ports can be freely edited, however adding network ports used by
services running on the CyberGuard unit (such as telnet) may compromise the security of
the device and your network. It is strongly recommended that you use the pre-defined
lists of network ports only.
The trigger count specifies the number of times a host is permitted to attempt to connect
to a monitored service before being blocked. This option only takes effect when one of
the previous blocking options is enabled. The trigger count value should be between 0
and 2 (o represents an immediate blocking of probing hosts). Larger settings mean more
attempts are permitted before blocking and although allowing the attacker more latitude,
these settings will reduce the number of false positives.
The ignore list contains a list of host IP addresses which the IDB will ignore for detection
and blocking purposes. This list may be freely edited so trusted servers and hosts are
not blocked. The two addresses 0.0.0.0 and 127.0.0.1 cannot be removed from the
ignore list because they represent the IDB host. You may enter the IP addresses as a
range, see the IP address ranges section further on for more information.
Warning
A word of caution regarding automatically blocking UDP requests. Because an attacker
can easily forge the source address of these requests, a host that automatically blocks
UDP probes can be tricked into restricting access from legitimate services. Proper
firewall rules and ignored hosts lists will significantly reduce this risk.