Anti-evasion settings control the network engine handling of abnormal packets that
may be attempting to evade analysis. Anti evasion settings are configured in a policy
or an individual computer. The Security Posture setting controls how rigorous intrusion
prevention analyzes packets, and can be set to one of the following values:
- Normal: Prevents the evasion of intrusion prevention rules without false positives. This is the default value.
- Strict: Performs more stringent checking than Normal mode but can produce some false-positive results. Strict mode is useful for penetration testing but should not be enabled under normal circumstances.
- Custom: If you select Custom, additional settings are available that enable you to specify how the agent will handle issues with packets. For these settings (with the exception of TCP Timestamp PAWS Window), the options are Allow (the agent sends the packet through to the system) or Deny Silent (same behavior as Deny, but no event is logged):
 |
NoteDeny (the agent drops the packet and logs an event) is not a customizable option.
|
|
Setting
|
Description
|
Normal value
|
Strict value
|
Default custom value (pre-10.2)
|
Default custom value (10.2 or later)
|
|
Invalid TCP Timestamps
|
Action to take when a TCP timestamp is too old
|
Ignore (same function as Allow)
|
Deny
|
Deny
|
Ignore (same function as Allow)
|
|
TCP Timestamp PAWS Window
|
Packets can have timestamps. When a timestamp has an earlier timestamp than the one
that came before it, it can be suspicious. The tolerance for the difference in timestamps
depends on the operating system. For Windows systems, select 0 (the system will only
accept packets with a timestamp that is equal to or newer than the previous packet).
For Linux systems, select 1 (the system will accept packets with a timestamp that
is a maximum of one second earlier than the previous packet).
|
1 for Linux agents, otherwise 0
|
1 for Linux agents, otherwise 0
|
0
|
1 for Linux agents, otherwise 0
|
|
Timestamp PAWS Zero Allowed
|
Action to take when a TCP timestamp is zero
|
Deny for Linux agents or NDIS5, otherwise Allow
|
Deny for Linux agents or NDIS5, otherwise Allow
|
Deny
|
Deny for Linux agents or NDIS5, otherwise Allow
|
|
Fragmented Packets
|
Action to take when a packet is fragmented
|
Allow
|
Allow
|
Deny
|
Allow
|
|
TCP Zero Flags
|
Action to take when a packet has zero flags set
|
Deny
|
Deny
|
Deny
|
Deny
|
|
TCP Congestion Flags
|
Action to take when a packet has congestion flags set
|
Allow
|
Allow
|
Deny
|
Allow
|
|
TCP Urgent Flags
|
Action to take when a packet has urgent flags set
|
Allow
|
Deny
|
Deny
|
Allow
|
|
TCP Syn Fin Flags
|
Action to take when a packet has both SYN and FIN flags set
|
Deny
|
Deny
|
Deny
|
Deny
|
|
TCP Syn Rst Flags
|
Action to take when a packet has both SYN and RST flags set
|
Deny
|
Deny
|
Deny
|
Deny
|
|
TCP Rst Fin Flags
|
Action to take when a packet has both RST and FIN flags set
|
Deny
|
Deny
|
Deny
|
Deny
|
|
TCP Syn with Data
|
Action to take when a packet has a SYN flag set and also contains data
|
Deny
|
Deny
|
Deny
|
Deny
|
|
TCP Split Handshake
|
Action to take when a SYN is received instead of SYN-ACK, as a reply to a SYN.
|
Deny
|
Deny
|
Deny
|
Deny
|
|
RST Packet Out of Connection
|
Action to take for a RST packet without a known connection
|
Allow
|
Deny
|
Deny
|
Allow
|
|
FIN Packet Out of Connection
|
Action to take for a FIN packet without a known connection
|
Allow
|
Deny
|
Deny
|
Allow
|
|
OUT Packet Out of Connection
|
Action to take for an outgoing packet without a known connection
|
Allow
|
Deny
|
Deny
|
Allow
|
|
Evasive Retransmit
|
Action to take for a packet with duplicated or overlapping data
|
Allow
|
Deny
|
Deny
|
Allow
|
|
TCP Checksum
|
Action to take for a packet with an invalid checksum
|
Allow
|
Deny
|
Deny
|
Allow
|