pilot_14
August 28, 1998
Intrusion Detection Pilot Program Guide
11
q
Product can notify an administrator via e-mail of an incident.
q Product can log a summary of an incident to persistent data storage.
q Product can record the entire binary content of a network session and write it to persistent
data storage for future analysis or forensics.
q Product can copy the entire binary content of a network session up to the management
console in real time so that it may be viewed as it is happening.
q Product can terminate a TCP session by issuing TCP Reset packets to each end of the
connection.
q
Product can prevent TCP, UDP, and IP access to a network by automatically reconfiguring
a firewall or router to prevent certain traffic from crossing the firewall boundary for a user-
specified period of time.
q
Product can respond to an incident by executing one or more user-specified programs.
Configuration
q
Remote Product engines can be configured from the management console using a point-
and click-interface.
q
Product provides configuration templates that describe an engine configuration (i.e., active
pre-defined signatures, responses). These templates can be customized, applied to many
engines at the same time, saved for future use, and exchanged among management
domains.
q The priority level for each pre-defined signature can be configured from the management
console.
q The interface allows attack signatures to be activated or deactivated via check-box
selection.
q
The response to each pre-defined event can be specified by the administrator from the
management console.
q
Product templates can be customized and saved for future use.
q The pre-defined signatures of Product can be tuned such that false positives are minimized.
q Product can be configured such that attack signature and traffic analysis focus only on
specified hosts, specified protocols, or specified services.
q Product can be configured such that the end user can modify the embedded HELP systems
and add additional commnets and information about attack definitions.
Event Monitoring
q
Product graphically depicts both suspicious activity and normal network activity.
q
The graphical interface can be used effectively by an unskilled NOC operator and requires