RFC 3871           Operational Security Requirements      September 2004

2.9.6.  Filter Counters Must Be Accurate

   Requirement.

      Filter counters MUST be accurate.  They MUST reflect the actual

      number of matching packets since the last counter reset.  Filter

      counters MUST be capable of holding up to 2^32   1 values without

      overflowing and SHOULD be capable of holding up to 2^64   1

      values.

   Justification.

      Inaccurate data can not be relied on as the basis for action.

      Underreported data can conceal the magnitude of a problem.

   Examples.

      If N packets matching a filter are sent to/through a device, then

      the counter should show N matches.

   Warnings.

      None.

2.10.  Other Packet Filtering Requirements

2.10.1.  Ability to Specify Filter Log Granularity

   Requirement.

      It MUST be possible to enable/disable logging on a per rule basis.

   Justification.

      The ability to tune the granularity of logging allows the operator

      to log only the information that is desired.  Without this

      capability, it is possible that extra data (or none at all) would

      be logged, making it more difficult to find relevant information.

   Examples.

      If a filter is defined that has several rules, and one of the

      rules denies telnet (tcp/23) connections, then it should be

      possible to specify that only matches on the rule that denies

      telnet should generate a log message.

Jones                        Informational                     [Page 47]