Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Action for brute-force: If the login attempts per minute fail for the times specified by the threshold, StoneOS will identify the attempts as an intrusion and take an action according to the configuration.

• Brute-force: Select the Enable check box to enable brute-force.
• Login threshold per min: Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
• Block by: Blocks the IP or service of the attacker whose login failure count exceeds the threshold.
• Block duration: Specifies a block duration for the attacker IP or service. The value range is 60 to 3600 seconds.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Banner protection: Select the Enable check box to enable protection against FTP server banners.

• Banner information: Type the new information into the box that will replace the original server banner information.

Max command line length: Specifies a max length (including carriage return) for the FTP command line. The value range is 5 to 1024 bytes.

• Security level: Specifies a security level for the events that exceed the max command line length. StoneOS will take action according to this level.

Max response line length: Specifies a max length for the FTP response line. The value range is 5 to 1024 bytes.

• Security level: Specifies a security level for the events that exceed the max response line length. StoneOS will take action according to this level.

Basic

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Banner protection: Select the Enable check box to enable protection against HTTP server banners.

• Banner information: Type the new information into the box that will replace the original server banner information.

Max URI length: Specifies a max URI length for the HTTP protocol. The value range is 64 to 4096 bytes.

• Security level: Specifies a security level for the events that exceed the max URI length. StoneOS will take action according to this level.

Web Server Protection

New: Click the New button and configure Web servers the Web Server Configuration dialog. The system has a default Web server named "default" which is enabled by default, and cannot be disabled or deleted. At most 32 Web servers can be configured (not include the default Web server).

Enable: Select the Web server from the Web server table and click this button to enable it.

Disable: Select the Web server from the Web server table and click this button to disable it.

Edit: Select the Web server from the Web server table and click this button to edit it.

Delete: Select the Web server from the Web server table and click this button to delete it.

Options on the Web Server Configuration dialog are:

Web server name: Specifies the name of the Web server.

Configure Domain: Specifies domains for the Web server. Click this link, the Configure Domain dialog appears. At most 5 domains can be configured for one Web server. The domain name of the Web server follows the longest match rule from the back to the front. The traffic that does not match any rules will match the default Web server. For example, you have configured two Web servers: web_server1 and web_server2. web_server1 contains the domain name abc.com and web_server2 contains the domain name email.abc.com. After configuring the settings, the traffic that visits news.abc.com will match the web_server1, the traffic that visits www.email.abc.com will math web_server2, and the traffic that visits www.abc.com.cn will match the default Web server.

SQL injection protection: Select the Enable check box to enable SQL injection check for the HTTP protocol.

• Sensitivity: Specifies the sensitivity for the SQL injection protection function. The higher the sensitivity is, the lower the false negative rate is.
• Check point: Specifies the check point for the SQL injection check. It can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP URI.
• Log only/Reset: Specifies the action of SQL injection check.
  • Log only: Only record the related logs when SQL injection is detected.
  • Reset: Reset the TCP connection or send the UDP unreachable packet and record the related logs when SQL injection is detected.
• Block: Select the check box to block the attacker by IP or service. The options are:
  • Type: Select the block object, it can be the IP address or the service.
  • Duration: Specifies the block duration. The range is from 60 to 3600 seconds.

XSS injection protection: Select the Enable check box to enable XSS injection check for the HTTP protocol.

• Sensitivity: Specifies the sensitivity for the XSS injection protection function. The higher the sensitivity is, the lower the false negative rate is.
• Check point: Specifies the check point for the XSS injection check. It can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP URI.
• Log only/Reset: Specifies the action of SQL injection check.
  • Log only: Only record the related logs when SQL injection is detected.
  • Reset: Reset the TCP connection or send the UDP unreachable packet and record the related logs when SQL injection is detected.
• Block: Select the check box to block the attacker by IP or service. The options are:
  • Type: Select the block object, it can be the IP address or the service.
  • Duration: Specifies the block duration. The range is from 60 to 3600 seconds.

External link check: Select the Enable check box to enable external link check for the Web server. This function controls the access to the external resource.

• External link exception: Click this link, the External Link Exception Configuration dialog appears. All the URLs configured on this dialog can be linked by the Web sever. At most 32 URLs can be specified for one Web server.
• Log only/Reset: Specifies the action of the behavior of linking to the external resource.
  • Log only: Only record the related logs when the external link behavior is detected.
  • Reset: Reset the TCP connection or send the UDP unreachable packet and record the related logs when external link behavior is detected.

ACL: Select the Enable check box to enable access control for the Web server. The access control function checks the the upload paths of the websites to prevent the malicious code uploading from attackers.

• ACL: Click this link, the ACL Configuration dialog appears. Specify websites and the properties on this dialog. "Static" means the URI can be accessed statically only as the static resource (images and text), otherwise, the access will handle as the action specified (log only/reset); "Block" means the resource of the website is not allowed to access.
• Log only/Reset: Specifies the action of the uploading behavior.
  • Log only: Only record the related logs when the matched behavior is detected.
  • Reset: Reset the TCP connection or send the UDP unreachable packet and record the related logs when matched behavior is detected.

HTTP request flood protection: Select the Enable check box to enable the HTTP request flood protection.

• Request threshold: Specifies the request threshold. When the number of HTTP connecting request reaches the threshold, the system will treat it as a HTTP request flood attack, and will enable the HTTP request flood protection.
• Authentication: Specifies the authentication method. The system judges the legality of the HTTP request on the source IP through the authentication. If a source IP fails on the authentication, the current request from the source IP will be blocked. Choose the proper authentication method from the drop-down list. The available authentication methods are:
  • Auto (JS Cookie): The Web browser will finish the authentication process automatically.
  • Auto (Redirect): The Web browser will finish the authentication process automatically.
  • Manual (Access Configuration): The initiator of the HTTP request must confirm by clicking OK on the returned page to finish the authentication process.
  • Manual (CAPTCHA): The initiator of the HTTP request must confirm by entering the authentication code on the returned page to finish the authentication process.
• Crawler-friendly: If this check box is selected, the system will not authenticate to the crawler.
• Request limit: Specifies the request limit for the HTTP request flood protection. After configuring the request limit, the system will limit the request rate of each source IP. If the request rate is higher than the limitation specified here and the HTTP request flood protection is enabled, the system will handle the exceeded requests according to the action specified (Block IP/Reset) 

 

 

Allowed methods: Specifies allowed HTTP method(s).

XSS check: Select the Enable check box to enable XSS check for the HTTP protocol.

SQL check:

Command injection check: Select the Enable check box to enable command injection check for the HTTP protocol.

Action for brute-force: If the login attempts per minute fail for the times specified by the threshold, StoneOS will identify the attempts as an intrusion and take an action according to the configuration.

• Brute-force: Select the Enable check box to enable brute-force.
• Login threshold per min: Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
• Block by: Blocks the IP or service of the attacker whose login failure count exceeds the threshold.
• Block duration: Specifies a block duration for the attacker IP or service. The value range is 60 to 3600 seconds.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Banner protection: Select the Enable check box to enable protection against POP3 server banners.

• Banner information: Type the new information into the box that will replace the original server banner information.

Max command line length: Specifies a max length (including carriage return) for the POP3 command line. The value range is 5 to 1024 bytes.

• Security level: Specifies a security level for the events that exceed the max command line length. StoneOS will take action according to this level.

Max parameter length: Specifies a max length for the POP3 client command parameter. The value range is 8 to 256 bytes.

• Security level: Specifies a security level for the events that exceed the max parameter length. StoneOS will take action according to this level.

Max failure time: Specifies a max failure time (within one single POP3 session) for the POP3 server. The value range is 0 to 512 times.

• Security level: Specifies a security level for the events that exceed the max failure time. StoneOS will take action according to this level.

Action for brute-force: If the login attempts per minute fail for the times specified by the threshold, StoneOS will identify the attempts as an intrusion and take an action according to the configuration.

• Brute-force: Select the Enable check box to enable brute-force.
• Login threshold per min: Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
• Block by: Blocks the IP or service of the attacker whose login failure count exceeds the threshold.
• Block duration: Specifies a block duration for the attacker IP or service. The value range is 60 to 3600 seconds.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Banner protection: Select the Enable check box to enable protection against SMTP server banners.

• Banner information: Type the new information into the box that will replace the original server banner information.

Max command line length: Specifies a max length (including carriage return) for the SMTP command line. The value range is 5 to 1024 bytes.

• Security level: Specifies a security level for the events that exceed the max command line length. StoneOS will take action according to this level.

Max path length: Specifies a max length for the reverse-path and forward-path field in the SMTP client command. The value range is 16 to 512 bytes (including punctuation marks).

• Security level: Specifies a security level for the events that exceed the max path length. StoneOS will take action according to this level.

Max reply line length: Specifies a max reply line length for the SMTP server. The value range is 64 to 1024 bytes (including carriage return).

• Security level: Specifies a security level for the events that exceed the max reply line length. StoneOS will take action according to this level.

Max text line length: Specifies a max length for the E-mail text of the SMTP client. The value range is 64 to 2048 bytes (including carriage return).

• Security level: Specifies a security level for the events that exceed the max text line length. StoneOS will take action according to this level.

Max content type length: Specifies a max length for the Content-Type field. The value range is 64 to 1024 bytes

• Security level: Specifies a security level for the events that exceed the max Content-Type length. StoneOS will take action according to this level.

Max content filename length: Specifies a max length for the filename of E-mail attachment. The value range is 64 to 1024 bytes

• Security level: Specifies a security level for the events that exceed the max content filename length. StoneOS will take action according to this level.

Max failure time: Specifies a max failure time (within one single SMTP session) for the SMTP server. The value range is 0 to 512 times.

• Security level: Specifies a security level for the events that exceed the max failure time. StoneOS will take action according to this level.

Action for brute-force: If the login attempts per minute fail for the times specified by the threshold, StoneOS will identify the attempts as an intrusion and take an action according to the configuration.

• Brute-force: Select the Enable check box to enable brute-force.
• Login threshold per min: Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
• Block by: Blocks the IP or service of the attacker whose login failure count exceeds the threshold.
• Block duration: Specifies a block duration for the attacker IP or service. The value range is 60 to 3600 seconds.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Username/Password max length: Specifies a max length for the username and password used in Telnet. The value range is 64 to 1024 bytes

• Security level: Specifies a security level for the events that exceed the max username/password length. StoneOS will take action according to this level.

Max scan length: Specifies a max scan length. The value range is 0 to 65535 bytes.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Action for brute-force: If the login attempts per minute fail for the times specified by the threshold, StoneOS will identify the attempts as an intrusion and take an action according to the configuration.

• Brute-force: Select the Enable check box to enable brute-force.
• Login threshold per min: Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
• Block by: Blocks the IP or service of the attacker whose login failure count exceeds the threshold.
• Block duration: Specifies a block duration for the attacker IP or service. The value range is 60 to 3600 seconds.

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

• Strict: When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, StoneOS will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
• Loose: When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, StoneOS will only generate logs and invoke the engine to perform signature matching.

Max bind length: Specifies a max length for MSRPC's binding packets. The value range is 16 to 65535 bytes.

• Security level: Specifies a security level for the events that exceed the max bind length. StoneOS will take action according to this level.

Max request length: Specifies a max length for MSRPC's request packets. The value range is 16 to 65535 bytes.

• Security level: Specifies a security level for the events that exceed the max request length. StoneOS will take action according to this level.