This article provides information on how to adjust the threshold value for a protocol anomaly, via NSM, for ISG-IDP or stand-alone IDP security devices.

The triggered protocol anomaly for numerous attack signatures can be seen in the NSM Log Viewer, when it is detected to be above the preset threshold.

Many IDP Protocol anomalies thresholds can be adjusted as required. For example, HTTP:Too many parameters.


In the following image, the protocol anomaly is triggered when it detects an HTTP request with the number of parameters above the preset threshold.

 

The default IDP Protocol anomaly thresholds may trigger false positives in your environment.

The threshold value for protocol anomaly can be adjusted on NSM.

1. For stand-alone IDP, edit the device on NSM and go to Sensor Settings. Under Sensor Settings, click the Protocols Thresholds and Configuration tab, and adjust the threshold value for the required protocol.
   
   

   

   
   
   As per the above example, the threshold for the HTTP :Too many parameters protocol anomaly can be modified under HTTP > Maximum Request length.


2. To achieve the same for ISG-IDP 1000/2000, edit the security device on NSM and go to Security > IDP SM Settings. Under IDP SM Settings, click Protocol Thresholds and Configuration and adjust the threshold value for the required protocol.
   
   

   

For more information on attach signatures, refer to the following link:

http://services.netscreen.com/documentation/signatures/