RFC 3871           Operational Security Requirements      September 2004

      "desktop_outbound" applied two different interfaces, say,

      "ethernet0" and "ethernet1", the display should indicate something

      like "matches of filter 'desktop_outbound' on ethernet0 ..." and

      "matches of filter 'desktop_outbound' on ethernet1 ..."

   Warnings.

      None.

2.9.5.  Ability to Reset Filter Counters

   Requirement.

      It MUST be possible to reset counters to zero on a per filter

      basis.

      For the purposes of this requirement it would be acceptable for

      the system to maintain two counters: an "absolute counter",

      C[now], and a "reset" counter, C[reset].  The absolute counter

      would maintain counts that increase monotonically until they wrap

      or overflow the counter.  The reset counter would receive a copy

      of the current value of the absolute counter when the reset

      function was issued for that counter.  Functions that display or

      retrieve the counter could then display the delta (C[now]  

      C[reset]).

   Justification.

      This allows operators to get a current picture of the traffic

      matching particular rules/filters.

   Examples.

      Assume that filter counters are being used to detect internal

      hosts that are infected with a new worm.  Once it is believed that

      all infected hosts have been cleaned up and the worm removed, the

      next step would be to verify that.  One way of doing so would be

      to reset the filter counters to zero and see if traffic indicative

      of the worm has ceased.

   Warnings.

      None.

Jones                        Informational                     [Page 46]