Monitoring for high port incidents

In some organizations, firewalls allow connections between high port applications like p2p. This traffic can occur over any port and may be interspersed with a great deal of random data. To identify potential areas of investigation without overwhelming the Server with traffic, you can create a sampling protocol.
  1. To create a sampling protocol
  2. Select
    System > Settings > Protocols
    from the navigation bar.
  3. Click
    Add Protocol
    .
  4. Enter a name for the protocol in the
    Name
    field.
  5. In the
    Recognition
    section of the page, enter the following into the
    Ports
    field:
    1025-36355
    This entry instructs the protocol to match any high port traffic.
  6. In the
    Filtering
    section of the page, enter the following into the
    Sampling
    field:
    100
    This value reduces the number of streams created that Symantec Data Loss Prevention inspects. Adjust this number based on the server’s ability to process the new traffic in a timely fashion.
  7. Click
    Save
    .
  8. Look for the new protocol at the end of the protocol list. If the protocol is not at the bottom of the list, move it there. Moving it ensures that more well-defined traffic is not mistakenly defined as this generic traffic.