TMS zl Management and Configuration Guide ST.1.1.100226
6-16
Intrusion Detection and Prevention
Threat Detection and Prevention
Protocol Anomaly Detection
Protocol anomaly detection involves looking for irregularities in protocol
payloads when they go through the network. Protocol anomalies target an
application, so the attack indicators are hidden in the packet payload. It
requires buffering the packets, decoding the protocol, and maintaining some
basic state about a given flow, such as open, authenticated, and so on.
Protocol anomaly detection has powerful capabilities because it does not
require a prior signature to detect certain classes of attacks; it can detect some
zero-day attacks even before the signatures are published. This capability
eliminates the window of vulnerability that often exists during the first hours
or days after an attack is launched. It is also powerful because it checks the
packet payload, so it detects attacks that would have otherwise made it
through a packet-filtering firewall.
Another useful feature of protocol anomaly detection is its resistance to
polymorphism and other evasion techniques. Because it does not rely on
matching an explicit pattern, the IDS still detects variations in the attack.
Protocol anomaly detection does not require constant signature updates,
thereby reducing administrative overhead.
The TMS zl Module detects anomalies in the following protocols by default:
■ HTTP
• Check for URL decoding in the URL request
• Check for directory traversal beyond the root directory
• Check for NULL method
• Check for evasion techniques
• Check for the length of the URL request (user-configurable)
• Check for a number of lines per header that exceeds the maximum
limit (user-configurable)
• Check for the MIME header size (user-configurable)
• Check for the number of MIME headers (user-configurable)
• Check for the MIME header line length (user-configurable)
■ SMTP
• Ensure that the command line does not exceed 512 bytes
• Check the recursive boundary depth in SMTP data
• Check for a header length that exceeds the maximum limit (user-
configurable)
■ FTP
• Ensure that the command line does not exceed 512 bytes