Question & Answer
Question
Why are some events allowed after setting a block response?
Cause
Most network attacks are carried out in a single packet or in several packets that are reconstructed into a single "session." For these attacks, the Block response in the XGS Intrusion Prevention policy is appropriate to use, and is translated into a block packet response and/or into a block connection response.
Certain events, however, are classified as "non-sequitur." Non-sequitur events are events that require a succession of packets to occur before the signature is triggered. For example, a port scan signature may require a succession of ten port probes before the signature would trigger. In this case, many of the offending "packets" would have already passed through the system.
Certain events, however, are classified as "non-sequitur." Non-sequitur events are events that require a succession of packets to occur before the signature is triggered. For example, a port scan signature may require a succession of ten port probes before the signature would trigger. In this case, many of the offending "packets" would have already passed through the system.
Answer
For these types of signatures, you must set the Quarantine response in addition to the Block response under the Default Repository > Shared Objects > Intrusion Prevention > select signature > Edit > enable the quarantine response under the Quarantine tab > Save. The quarantine response blocks the offending IP for a period of time, ensuring that the remaining probes do not get through. The standard block packet or drop connection responses (set by the Block response) are ineffective in stopping this kind of activity when not used in conjunction with Quarantine.
List of non-sequitur events:
ActiveDirectory_Ldap_DoS
AntiSniff_DNS_Test
Cisco_IOS_OSPF_BO
DNS_Dot_Query_Flood
DNS_Malformed_Flood
DSI_Netware_AFP_DoS
HP_NNM_AlarmSrv_DoS
HTTP_Apache_Modisapi_Code_Exec
HTTP_Asterisk_ContentLength_DoS
HTTP_Pipelined_Connection
ICMP_Flood
Ident_Flood
Malformed_Packet_Storm
Netbios_Flood_DoS
pcAnywhere_Probe
Ping_Sweep
RPC_NFS_Guess
RPC_Probe
SMB_Service_Sweep
SMTP_Probe_Root
SSH_Brute_Force
Stream_DoS
SYN_Bandwidth_Flood
SYN_Bandwidth_Flood_Protection
SYNFlood
SYNFlood_Protection
Syslog_Flood
TCP_Dabber_Sweep
TCP_Dataless_Session_RST_DoS
TCP_Large_Send_Offload_DoS
TCP_Port_Scan
TCP_Probe_BitTorrent
TCP_Probe_DNS
TCP_Probe_Finger
TCP_Probe_Ftp
TCP_Probe_Gnutella
TCP_Probe_HTTP
TCP_Probe_Ident
TCP_Probe_Imap4
TCP_Probe_IRC
TCP_Probe_LinuxConf
TCP_Probe_Lpr
TCP_Probe_MSRPC
TCP_Probe_NetBIOS
TCP_Probe_Netbus
TCP_Probe_NNTP
TCP_Probe_Other
TCP_Probe_POP3
TCP_Probe_PPTP
TCP_Probe_Proxy
TCP_Probe_Rlogin
TCP_Probe_SMTP
TCP_Probe_Socks
TCP_Probe_SQL
TCP_Probe_SSH
TCP_Probe_Sub7
TCP_Probe_SunRPC
TCP_Probe_T0rn
TCP_Probe_Telnet
TCP_Probe_Trojan
TCP_Probe_XWindows
TCP_Service_Sweep
TCP_Windows_IntegerOverflow_DoS
Twinge_Attack
UDP_Flood_DoS
UDP_Port_Scan
UDP_Probe_CharGen
UDP_Probe_DNS
UDP_Probe_Echo
UDP_Probe_MSDNS
UDP_Probe_MSRPC
UDP_Probe_NFS
UDP_Probe_NFS_Lockd
UDP_Probe_Norton_AV
UDP_Probe_Other
UDP_Probe_Qotd
UDP_Probe_SNMP
UDP_Probe_TFTP
UDP_Probe_Trojan
UDP_Service_Sweep
Unistim_Flood
VOIP_New_Call_Dos
List of non-sequitur events:
ActiveDirectory_Ldap_DoS
AntiSniff_DNS_Test
Cisco_IOS_OSPF_BO
DNS_Dot_Query_Flood
DNS_Malformed_Flood
DSI_Netware_AFP_DoS
HP_NNM_AlarmSrv_DoS
HTTP_Apache_Modisapi_Code_Exec
HTTP_Asterisk_ContentLength_DoS
HTTP_Pipelined_Connection
ICMP_Flood
Ident_Flood
Malformed_Packet_Storm
Netbios_Flood_DoS
pcAnywhere_Probe
Ping_Sweep
RPC_NFS_Guess
RPC_Probe
SMB_Service_Sweep
SMTP_Probe_Root
SSH_Brute_Force
Stream_DoS
SYN_Bandwidth_Flood
SYN_Bandwidth_Flood_Protection
SYNFlood
SYNFlood_Protection
Syslog_Flood
TCP_Dabber_Sweep
TCP_Dataless_Session_RST_DoS
TCP_Large_Send_Offload_DoS
TCP_Port_Scan
TCP_Probe_BitTorrent
TCP_Probe_DNS
TCP_Probe_Finger
TCP_Probe_Ftp
TCP_Probe_Gnutella
TCP_Probe_HTTP
TCP_Probe_Ident
TCP_Probe_Imap4
TCP_Probe_IRC
TCP_Probe_LinuxConf
TCP_Probe_Lpr
TCP_Probe_MSRPC
TCP_Probe_NetBIOS
TCP_Probe_Netbus
TCP_Probe_NNTP
TCP_Probe_Other
TCP_Probe_POP3
TCP_Probe_PPTP
TCP_Probe_Proxy
TCP_Probe_Rlogin
TCP_Probe_SMTP
TCP_Probe_Socks
TCP_Probe_SQL
TCP_Probe_SSH
TCP_Probe_Sub7
TCP_Probe_SunRPC
TCP_Probe_T0rn
TCP_Probe_Telnet
TCP_Probe_Trojan
TCP_Probe_XWindows
TCP_Service_Sweep
TCP_Windows_IntegerOverflow_DoS
Twinge_Attack
UDP_Flood_DoS
UDP_Port_Scan
UDP_Probe_CharGen
UDP_Probe_DNS
UDP_Probe_Echo
UDP_Probe_MSDNS
UDP_Probe_MSRPC
UDP_Probe_NFS
UDP_Probe_NFS_Lockd
UDP_Probe_Norton_AV
UDP_Probe_Other
UDP_Probe_Qotd
UDP_Probe_SNMP
UDP_Probe_TFTP
UDP_Probe_Trojan
UDP_Service_Sweep
Unistim_Flood
VOIP_New_Call_Dos
[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21687475