Meta and evasion rules, Appendix c, Appendix c meta and evasion rules – Force10 Networks PSeries 100-00055-01 User Manual
Page 123
P-Series Installation and Operation Guide, version 2.3.1.2
123
The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in
and
.
Appendix C
Meta and Evasion Rules
Table 29 meta Rules for Channel 0 and Channel 1
meta Rules
alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;)
alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)
alert tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2;
C:32;)
alert udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64;
R:2; C:64;)
alert tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;)
alert tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;)
alert tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;)
alert tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;)
alert tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)
Table 30 Evasion Rules for Channel 0 and Channel 1
Evasion Rules
alert tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)
alert tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 10 = state 1"; dsize: 0 <> 20; S:4;
R:1; C:8;)
alert tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 10 = capture flow"; dsize: 0
<> 20; S:8; R:1; C:16;)
alert tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 10"; dsize: 0 <> 100;
S:16; R:2; C:17;)