|
|
|
@ -97,32 +97,33 @@ Anomalies are reported by and configured by type:
|
|
|
|
|
|
|
|
|
|
|
|
Metadata::
|
|
|
|
Metadata::
|
|
|
|
|
|
|
|
|
|
|
|
- anomaly:
|
|
|
|
- anomaly:
|
|
|
|
# Anomaly log records describe unexpected conditions such as truncated packets, packets
|
|
|
|
# Anomaly log records describe unexpected conditions such as truncated packets,
|
|
|
|
# with invalid IP/UDP/TCP length values, and other events that render the packet
|
|
|
|
# packets with invalid IP/UDP/TCP length values, and other events that render
|
|
|
|
# invalid for further processing or describe unexpected behavior on an established stream.
|
|
|
|
# the packet invalid for further processing or describe unexpected behavior on
|
|
|
|
# Networks which experience high occurrences of anomalies may experience packet processing
|
|
|
|
# an established stream. Networks which experience high occurrences of
|
|
|
|
# degradation.
|
|
|
|
# anomalies may experience packet processing degradation.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Anomalies are reported for the following:
|
|
|
|
# Anomalies are reported for the following:
|
|
|
|
# 1. Decode: Values and conditions that are detected while decoding individual packets.
|
|
|
|
# 1. Decode: Values and conditions that are detected while decoding individual
|
|
|
|
# This includes invalid or unexpected values for low-level protocol lengths as well
|
|
|
|
# packets. This includes invalid or unexpected values for low-level protocol
|
|
|
|
# as stream related events (TCP 3-way handshake issues, unexpected sequence number, etc).
|
|
|
|
# lengths as well.
|
|
|
|
# 2. Stream: This includes stream related events (TCP 3-way handshake issues, unexpected
|
|
|
|
# 2. Stream: This includes stream related events (TCP 3-way handshake issues,
|
|
|
|
# sequence number, etc).
|
|
|
|
# unexpected sequence number, etc).
|
|
|
|
# 3. Application layer: These denote application layer specific conditions that are unexpected,
|
|
|
|
# 3. Application layer: These denote application layer specific conditions that
|
|
|
|
# invalid or are unexpected given the application monitoring state.
|
|
|
|
# are unexpected, invalid or are unexpected given the application monitoring
|
|
|
|
#
|
|
|
|
# state.
|
|
|
|
# By default, anomaly logging is disabled. When anomaly logging is enabled, application-layer anomaly
|
|
|
|
#
|
|
|
|
# reporting is enabled.
|
|
|
|
# By default, anomaly logging is disabled. When anomaly logging is enabled,
|
|
|
|
#
|
|
|
|
# application-layer anomaly reporting is enabled.
|
|
|
|
# Choose one or both types of anomaly logging and whether to enable
|
|
|
|
#
|
|
|
|
# logging of the packet header for packet anomalies.
|
|
|
|
# Choose one or both types of anomaly logging and whether to enable
|
|
|
|
types:
|
|
|
|
# logging of the packet header for packet anomalies.
|
|
|
|
#decode: no
|
|
|
|
types:
|
|
|
|
#stream: no
|
|
|
|
#decode: no
|
|
|
|
#applayer: yes
|
|
|
|
#stream: no
|
|
|
|
#packethdr: no
|
|
|
|
#applayer: yes
|
|
|
|
|
|
|
|
#packethdr: no
|
|
|
|
|
|
|
|
|
|
|
|
HTTP
|
|
|
|
HTTP
|
|
|
|
~~~~
|
|
|
|
~~~~
|
|
|
|
|
Victor Julien
6 years ago