Monitoring for high port incidents
In some organizations, firewalls allow connections between high port applications like p2p. This traffic can occur over any port and may be interspersed with a great deal of random data. To identify potential areas of investigation without overwhelming the Server with traffic, you can create a sampling protocol.
- To create a sampling protocol
- SelectSystem > Settings > Protocolsfrom the navigation bar.
- ClickAdd Protocol.
- Enter a name for the protocol in theNamefield.
- In theRecognitionsection of the page, enter the following into thePortsfield:1025-36355This entry instructs the protocol to match any high port traffic.
- In theFilteringsection of the page, enter the following into theSamplingfield:100This value reduces the number of streams created that Symantec Data Loss Prevention inspects. Adjust this number based on the server’s ability to process the new traffic in a timely fashion.
- ClickSave.
- Look for the new protocol at the end of the protocol list. If the protocol is not at the bottom of the list, move it there. Moving it ensures that more well-defined traffic is not mistakenly defined as this generic traffic.