Config

	Configuration parameters
advICE :Intrusions : Config

FAQ

Oh my gosh, I'm being HACKED!!!

How do I report the hacker to my ISP?

I'm seeing lots of attacks, is this normal?

Summary Most of the configuration parameters are documented under the intrusion detection to which they apply. Global parameters which affect the overall operation of the product are defined here.
Details
The syntax of a parameter in the configuration file is parameter=value. For example, to specify that FTP analysis be done on port 99, use the command tcpport.FTP=99. The default value of each parameter is given in the second column of the configuration table.
The trust parameters can be used to eliminate reports of incidents which occur as part of your normal network operation. For example, if you use the network to backup your system every night, you might want to trust the backup system as an intruder, because it is likely to trigger several file-access intrusions when it accesses sensitive files.

configuration for this item

tcpport.FTP 21 The port on which FTP analysis is done. Several ports can be specified by including a different tcpport configuration line for each port

tcpport.TELNET 23 The port on which TELNET analysis is done.

tcpport.SMTP 25 The port on which SMTP analysis is done.

tcpport.DNS 53 The port on which DNS analysis is done.

tcpport.FINGER 79 The port on which FINGER analysis is done.

tcpport.HTTP 80 The port on which HTTP analysis is done.

tcpport.POP3 110 The port on which POP3 analysis is done.

tcpport.IDENT 113 The port on which IDENT analysis is done.

tcpport.MSRPC 135 The port on which MSRPC analysis is done.

tcpport.NETBIOS 139 The port on which NETBIOS analysis is done.

tcpport.IMAP4 143 The port on which IMAP4 analysis is done.

tcpport.RLOGIN 513 The port on which RLOGIN analysis is done.

tcpport.SQL 2025 and 1433 The port on which SQL analysis is done.

tcpport.SOCKS 1080 The port on which SQL analysis is done.

tcpport.IRC 7777 and 8888 The port on which IRC analysis is done.

irc.low1 6660 An additional minimum port on which IRC analysis is done.

irc.high1 6669 An additional maximum port on which IRC analysis is done.

irc.low1 7000 An additional minimum port on which IRC analysis is done.

irc.high1 7002 An additional maximum port on which IRC analysis is done.

http.heuristic on A heuristic is used to determine whether HHTP traffic is being used on a port other than port 80. To disable this heuristic, specify a value of off for this parameter.

ip.checksum on Specify off to disable the IP checksum calculation.

tcp.checksum on Specify off to disable the TCP checksum calculation.

udp.checksum on Specify off to disable the UDP checksum calculation.

trust.address none A list of intruder IP addresses which are not to be reported.

trust.issue none A list of issues which are not to be reported.

trust.pair none A list of IP address,issue pairs which are not to be reported. For example, to trust issue 2002701 from 192.68.0.1, use the command trust.pair=192.68.0.1,2002701.

 
Version appeared:

Configuration parameters