Note: If you edit the parameters of a filter that is bound to an existing policy, you need to activate the latest changes.
To create a basic filter
1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > User. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
Name The name of the filter.
Protocol The protocol used.
Values: IP, UDP, TCP, ICMP Source App. Port The source application ports. Destination App. Port The destination application ports.
Values: 0 - 65535 Default: 0
OMPC Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header.
Values: 0 - 1513 Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative. Values: None IP Header IP Data L4 Data Ethernet L4 Header IPV6 Header Default: None
OMPC Mask The mask for the OMPC data. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Mask can be:abcd0000.
Default: 00000000
OMPC Pattern The fixed size pattern within the packet that OMPC rule attempts to find. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can be:abcd0000.
Default: 00000000
OMPC Condition The OMPC condition can be either N/A, equal, notEqual, greaterThan or lessThan.
Default: N/A
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data. Values: N/A, oneByte, twoBytes, threeBytes, fourBytes Default: N/A
Content Offset The location in the packet from which the checking of content is started. Values: 0 - 1513
Default: 0
Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack.
Content Contains the actual value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ .
DDoS Protector Web Based Management User Guide | 39 Content Type Enables the user to search for a specific content type.
Values: None
URL—In the HTTP Request URI. No normalization procedures are taken.
Normalized URL—To avoid evasion techniques when classifying HTTP-GET requests, the URL content is transformed into its canonical representation, to interpret the URL in the same way the server would. The normalization procedure supports the following cases:
Directory referencing by reducing '/./' into '/' or "A/B/../" to "A/"; Changing backslash ('\') to slash ('/');
Changing HEX encoding to ASCII characters. For example the hex value %20 is changed to " " (space).
Unicode support, UTF-8 and IIS encoding. Host Name—In the HTTP Header
Text—Anywhere in the packet
HTTP Header Field—In the HTTP Header Mail Domain—In the SMTP Header Mail To—In the SMTP Header Mail From—In the SMTP Header Mail Subject—In the SMTP Header
Regular Expression: Anywhere in the packet
Header Type—HTTP Header field. The "Content" field includes the header field name, and the "Content data" field includes the field value
File Type—The type of the requested file in the http GET command (jpg, exe, and so on).
POP3 User—User field in the POP3 Header.
Cookie Data—HTTP cookie field. The "content" field includes the cookie name, and the "content data" field includes the cookie value FTP Content—Scans the data transmitted using FTP, performing
normalization of the FTP packets and stripping of telnet opcodes. FTP Command—Performs parsing of FTP commands to
commands and arguments, while performing normalization of the FTP packets and stripping of telnet opcodes.
RPC—Reassembles RPC requests over several packets.
RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. In case of the stream-oriented protocol (like TCP) RPC uses a kind of fragmentation to delimit between the records. In spite of its original purpose, fragmentation may also divide records in the middle and not only at their
boundaries. In some cases, this functionality may be used to evade IPS systems.
Default: N/A
Note: The following two content types appear in devices with the SME card only.
HTTP Reply Header—The header of the HTTP reply. HTTP Reply Data—The data of the HTTP reply.
Content Max Length The maximum length to be searched within the selected Content Type. The Content Max Length value must be equal or greater than the Offset value.
Values: 0 – 1513 Default: 0
Content Data Refers to the search for the content within the packet. Values: N/A, URL, Text
Content Encoding Application Security can search for content in languages other than English, for case sensitive or case insensitive text as well as
hexadecimal strings. The value of this field corresponds to the Content Type parameter. Values: None Case Insensitive Case Sensitive HEX International Default: None
Content Data Encoding Application Security can search for data in languages other than English, for case sensitive or case insensitive data as well as
hexadecimal strings. The value of this field corresponds to the Content Type parameter. Values: None Case Insensitive Case Sensitive HEX International Default: None Content Regular Expression
Allows you to search for content type anywhere in the packet. Values:
Yes No Content Data Reg
Expression
Values: Yes No
DDoS Protector Web Based Management User Guide | 41 Packet Size Type The content for which the size is measured.
Values:
L2—The complete packet size is measured, including L2 headers. L3—The L2 Data part of the packet is measured (excluding the L2
headers).
L4—The L3 Data part of the packet is measured (excluding the L2/L3 headers).
L7—The L4 Data part of the packet is measured (excluding the L2/L3/L4 headers).
Session Type This parameter enables you to create different basic filter connection types for Dynamic Protocols. For example, you can create a Basic Filter for FTP Data, SIP Video, TFTP Control, and other Dynamic Protocols. Session Type Direction Limits the classification according to the direction of the session.
Values: Only to request packets, Reply packets, all the packets belonging to the session
Packet Size Range The range of values for the packet size.
Notes:
The size is measured per packet only.
The size is not applied on reassembled packets.
Fragmentation of L4-L7 packets may result with tails that do not contain the L4-L7 headers. The check in such cases is bypassed, as no match to the Type = L4-L7 is detected.