RFC 3871           Operational Security Requirements      September 2004

2.9.3.  Ability to Display Filter Counters per Rule

   Requirement.

      The device MUST provide a mechanism to display filter counters per

      rule.

   Justification.

      This makes it possible to see which rules are matching and how

      frequently.

   Examples.

      Assume that a filter has been defined that has two rules, one

      permitting all SSH traffic (tcp/22) and the second dropping all

      remaining traffic.  If three packets are directed toward/through

      the point at which the filter is applied, one to port 22, the

      others to different ports, then the counter display should show 1

      packet matching the permit tcp/22 rule and 2 packets matching the

      deny all others rule.

   Warnings.

      None.

2.9.4.  Ability to Display Filter Counters per Filter Application

   Requirement.

      If it is possible for a filter to be applied more than once at the

      same time, then the device MUST provide a mechanism to display

      filter counters per filter application.

   Justification.

      It may make sense to apply the same filter definition

      simultaneously more than one time (to different interfaces, etc.).

      If so, it would be much more useful to know which instance of a

      filter is matching than to know that some instance was matching

      somewhere.

   Examples.

      One way to implement this requirement would be to have the counter

      display mechanism show the interface (or other entity) to which

      the filter has been applied, along with the name (or other

      designator) for the filter.  For example if a filter named

Jones                        Informational                     [Page 45]