Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
1-37
Overview
IDS/IPS
IPS Subscription. The TMS zl Module requires a subscription to download
and update IDS/IPS signatures. The module supports these subscriptions:
HP Threat Management Services 1-year IDS/IPS Subscription (J9157A)
HP Threat Management Services 2-year IDS/IPS Subscription (J9158A)
HP Threat Management Services 3-year IDS/IPS Subscription (J9159A)
You can also purchase a module with a subscription: the HP Threat
Management Services zl Module with 1-year IDS/IPS Subscription (J9156A).
You cannot transfer an IDS/IPS signature subscription from one module to
another unless the first module becomes inoperable; in that case you can
transfer the subscription to its replacement. For instructions on obtaining,
installing, and managing the HP Threat Management Services IPS
subscriptions, see “Register the IDS/IPS Signature Subscription” in Chapter 6:
“Intrusion Detection and Prevention.”
Protocol Anomaly Detection
Using protocol-anomaly detection, the TMS zl Module looks for anomalies at
the application level of the packet payload. Each application protocol speci-
fies particular policies and behavior. The TMS zl Module examines traffic to
verify that traffic for a particular application behaves as expected. This type
of detection requires the module to examine each packet in a session in
context with other packets in that session. The module must buffer packets,
decode protocols, and maintain basic information about each open session
(which is defined as the flow of traffic between a particular source address
and port and a destination address and port).
By default, the TMS zl Module provides protocol-anomaly detection for the
following applications:
HTTP
Check for URL decoding in the URL request
Check for directory traversal beyond the root directory
Check for NULL method
Check for evasion techniques
Check for the length of the URL request (user-configurable)
Check for a number of lines per header that exceeds the maximum
limit (user-configurable)
Check for a MIME header size that exceeds the maximum limit (user-
configurable)
Check for the number of MIME headers
Check for the MIME header line length