Intrusion Prevention System (IPS/IDS) configuration

IPS/IDS general commands

description

This command changes the description.

The use of a negative form (no) of the command removes description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-IPS-CATEGORY

CONFIG-IPS-CATEGORY-RULE

CONFIG-IPS-CATEGORY-RULE-ADVANCED

CONFIG-IPS-POLICY

CONFIG-IPS-UPGRADE-USER-SERVER

CONFIG-CONTENT-PROVIDER

Example

esr(config-ips-upgrade-user-server)# description "Etnetera aggressive IP blacklist"

enable

This command activates the IPS/IDS service and its rules.

The use of a negative form (no) of the command deactivates the IPS/IDS service.

Syntax

[no] enable

Parameters

The command does not contain parameters.

Default value

IPS/IDS service is not activated.

Required privilege level

15

Command mode

CONFIG-IPS

CONFIG-IPS-CATEGORY-RULE

CONFIG-IPS-CATEGORY-RULE-ADVANCED

CONFIG-CONTENT-PROVIDER

Example

esr(config-ips)# enable

show security ips content-provider

This command allows to view information about updates of IPS/IDS rules distributed under a commercial license.

Syntax

show security ips content-provider

Required privilege level

10

Command mode

ROOT

Example

esr# show security ips content-provider 
 Server: content-provider
 		Last MD5 of received files:        93633ab9a73248ea50d58c25b1ac806c
 		Next update: 06 October 2020 12:27:40

show security ips content-provider rules-info

This command allows to view information about categories of IPS/IDS rules available under the current commercial license. If there is no valid license, the list will be empty.

Syntax

show security ips content-provider rules-info

Required privilege level

10

Command mode

ROOT

Example

esr# show security ips content-provider rules-info 
Vendor : kaspersky
    Category : IoTURLsDF
        Count of rules : 8000
        Description : Kasperksy Lab IoTURLsDF feed
		      IoTURLsDF URL feed - a set of URLs with context covering malware that infects IoT (Internet of Things) devices
    Category : MaliciousHashDF
        Count of rules : 1
        Description : Kasperksy Lab MaliciousHashDF feed
		      Malicious Hash feed - a set of hashes of malicious objects
    Category : PhishingURLsDF
        Count of rules : 11167
        Description : Kasperksy Lab PhishingURLsDF feed
		      Phishing URL feed - a set of URLs with context that cover phishing websites and web pages

show security ips counters

This command scans IPS/IDS service counters.

Syntax

show security ips counters

Required privilege level

10

Command mode

ROOT

Example

esr# show security ips counters
TCP flows processed : 34687
Alerts generated : 456
Blocked by ips engine : 78
Accepted by ips engine : 1356436

show security ips user-server

This command allows to view information about IPS/IDS rule updates from user update servers.

Syntax

show security ips user-server [<WORD>]

Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

10

Command mode

ROOT

Example

esr# sh security ips user-server 
Server name                        Files MD5                          Next update                        
--------------------------------   --------------------------------   --------------------------------   
content-provider                   93633ab9a73248ea50d58c25b1ac806c   06 October 2020 12:27:40           
TH                                 919f51bdf44052bfc0953362aef11c0d   06 October 2020 12:36:40           
Traffic-ID                         e5e2f6472a397227c0d96f5df430a207   06 October 2020 12:36:40           
Aggressive                         cfc3547b50f3f9fec366ba5a1e51cd1f   06 October 2020 12:36:40           
JA3-Fingerprint                    439aa6e57c66826b92337672937d505b   05 October 2020 16:51:40           
C2-Botnet                          39e118bd3884b3dc1df4ca3a03c05df1   05 October 2020 16:51:40           
SSL-BlackList                      1d9c969f25791b9ee8c8c0ab8449d849   05 October 2020 16:51:40           
ET-Open                            d53d92248a1f7cdc040d669a76cf27bc   06 October 2020 12:36:40    

update security ips content-provider rules

This command initiates a forced update of IPS/IDS rules distributed under a commercial license.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax

update security ips content-provider rules

Required privilege level

15

Command mode: update security ips content-provider rules

ROOT

Example

esr# update security ips content-provider rules

update security ips content-provider rules-info

This command initiates a forced request for information about categories of IPS/IDS rules available under the current commercial license.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax

update security ips content-provider rules-info

Required privilege level

15

Command mode

ROOT

Example

esr# update security ips content-provider rules-info

update security ips user-server rules

This command initiates a forced update of IPS/IDS rules from the user update server.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax

update security ips user-server rules <WORD>

Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

15

Command mode

ROOT

Example

esr# update security ips user-server rules ET-Open

IPS/IDS policy configuration

category

This command specifies the category of IPS/IDS rules of a particular vendor, distributed under a commercial license, and enters the configuration mode for that category

The use of a negative form (no) of the command removes the configured category from the IPS/IDS service settings.

Syntax

category <CATEGORY>

no category { <CATEGORY> | all }

Parameters

<CATEGORY> – rule category. 

You can see the list of available categories in the context tooltip or with a command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-VENDOR

Example

esr(config-ips-vendor)# category MobileBotnetCAndCDF

external network-group

This command sets the IP address profile, which the IPS/IDS service will consider unreliable.

The IP address profile must be pre-created.

The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.

Syntax

external network-group <OBJ-GROUP-NETWORK-NAME>

no external network-group

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example

esr(config-ips-policy)# external network-group WAN

protect network-group

This command sets the IP address profile that the IPS/IDS service will protect.

The IP address profile must be pre-created.

The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.

Syntax

protect network-group <OBJ-GROUP-NETWORK-NAME>

no protect network-group

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example

esr(config-ips-policy)# protect network-group LAN

rules action

The command specifies the action that should be applied for the traffic meeting rules of this category.

The use of a negative form (no) of the command removes an assigned action.

The command applies only to rules distributed under a commercial license.

Syntax

rules action { alert | reject | pass | drop }

no rules action

Parameters:

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

Required privilege level

15

Command mode

CONFIG-IPS-VENDOR-CATEGORY

Example

esr(config-ips-vendor-category)# rules action drop

rules count

This command specifies the effective number of rules of a given category that the IPS/IDS system will operate with

The use of a negative form (no) of the command removes an assigned action.

The command applies only to rules distributed under a commercial license.

Syntax

rules count <COUNT>

no rules count

Parameters:

<COUNT> – number of rules. The minimum value is 1, the maximum value depends on the category of rules.

The maximum number of rules by category can be seen in the context hint or with the command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-VENDOR-CATEGORY

Example

esr(config-ips-vendor-category)# rules count 8000

security ips policy

This command creates an IPS/IDS service settings policy with a specific name and switches to the policy configuration mode.

The use of a negative form (no) of the command removes the configured policy of the IPS/IDS service settings.

Syntax

[no] security ips policy <POLICY_NAME>

Parameters

<POLICY_NAME> – IPS/IDS service policy name, specified by a string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# security ips policy OFFICE

vendor

This command identifies the vendor of IPS/IDS rules distributed under a commercial license and enters the configuration mode for that vendor.

The use of a negative form (no) of the command removes the configured vendor from the IPS/IDS service settings.

Syntax

vendor <VENDOR>

no vendor <CATEGORY>

Parameters

<VENDOR> – rule vendor. 

You can see the list of available vendors in the context tooltip or with a command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example

esr(config-ips-policy)# vendor kaspersky

IPS configuration

logging ips severity

This command sets the message severity level for logging IPS/IDS events.
The use of a negative form (no) of the command sets the default value.

Syntax

logging ips severity <SEVERITY>

no logging ips severity

Parameters

<SEVERITY> – message importance level, takes values (in order of decreasing importance):

• emerg – critical error has occurred in the system, the system is not operational;
• alert – alarms, immediate intervention by staff;
• crit – critical system status, event reporting;
• error – error messages;
• warning – warnings, non-emergency messages;
• notice – messages about important system events;
• info – system information messages;
• debug – debugging messages provide the user with information to correctly configure the system;
• none – disables the output of syslog messages to the console. 

Default value

info

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# logging ips severity error

logging storage-path

This command sets the name and path of the directory on the external drive to which the log files of the IPS/IDS service in the EVE format (elasticsearch) will be written.

The use of a negative form (no) of the command stops recording log files.

Syntax

logging storage-path <PATH>

no logging storage-path

Parameters

<PATH> – the name and path of the directory on the external drive in format of:

usb://usb_name:/[FILE]/
mmc://mmc_name:/[FILE]/

Required privilege level

15

Command mode

CONFIG-IPS

Example

esr(config-ips)# logging storage-path usb://DATA/Log/

security ips

This command creates an IPS/IDS service profile and switch to its configuration mode.

Syntax

security ips

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# security ips

performance max

This command allows the IPS/IDS service to use all of the device’s resources for maximum performance. It is recommended to use when the device is used exclusively as IPS/IDS. It is not recommended to use when, in addition to IPS/IDS, the device performs other functions (routing, BRAS, etc.).

The use of a negative form (no) of the command frees up part of the device’s resources for use by other services.

Syntax

[no] performance max

Required privilege level

15

Command mode

CONFIG-IPS

Example

esr(config-ips)# perfomance max

policy

This command assigns the previously created IPS/IDS service settings policy.

The use of a negative form (no) of the command removes the assigned policy of the IPS/IDS service settings.

Syntax

policy <POLICY_NAME>

no policy

Parameters

<POLICY_NAME> – IPS service policy name, specified by a string of up to 32 characters.

Required privilege level

15

Command mode

CONFIG-IPS

Example

esr(config-ips)# policy OFFICE

service-ips enable

This command is used to enable the IPS/IDS service on the network interface.

The use of a negative form (no) of the command disables the IPS/IDS service on the network interface.

Syntax

[no] service-ips enable

Required privilege level

15

Command mode

CONFIG-GI

CONFIG-TE

CONFIG-SUBIF

CONFIG-QINQ-IF

CONFIG-PORT-CHANNEL

CONFIG-BRIDGE

Example

esr(config-if-gi)# service-ips enable

Configuring auto-updating of IPS/IDS rules distributed under a commercial license

content-provider

This command switches to the configuration mode of the source of rule updates distributed under a commercial license.

Syntax

content-provider

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# content-provider

host address

This command specifies the address of the server for rule updates distributed under a commercial license.

Syntax

host address { <ADDR> | <IPV6-ADDR> | <HOSTNAME> }

Parameters

<ADDR> – device IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – device IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<HOSTNAME> – user DNS name, set by the string of up to 255 characters;

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example

esr(config-content-provider)# host address edm.eltex-co.ru

host port

This command specifies the TCP port number of the server for rule updates distributed under a commercial license.

Syntax

host port <PORT> 

Parameters

<PORT> – TCP port number, may take values [1..65535];

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example

esr(config-content-provider)# host port 8098

reboot

This command sets the time to reboot the device when the system license is received. The device reboots the first time it connects to a commercially licensed rule update server.

If you have an already operating IPS/IDS license, there is no reboot.

Syntax

reboot { immediately | time <TIME> } 

Parameters

immediately – reboot immediately after receiving a license;

time <TIME> – restart at a specified time <TIME>;

<TIME> – reboot time in format of HH:MM:SS.

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example

esr(config-content-provider)# reboot time 05:00:00

storage-device

This command specifies the name of the external drive on which encrypted IPS/IDS rules distributed under a commercial license will be stored.

The use of a negative form (no) of the command stops rule saving.

Syntax

storage-device <PATH>

no storage-device

Parameters

<PATH> – name of external drive in format of:

usb://usb_name:/
mmc://mmc_name:/

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example

esr(config-content-provider)# storage-device usb://DATA

upgrade interval

The command specifies the frequency with which the device will check for updates of IPS/IDS rules distributed under a commercial license.

The use of a negative form (no) of the command sets the default value.

Syntax

upgrade interval <HOURS>

no upgrade interval

Parameters

<HOURS> – update interval in hours, from 1 to 240.

Default value

24

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example

esr(config-content-provider)# upgrade interval 36

Configuration of IPS/IDS rules autoupdate from external sources

auto-upgrade

This command switches to the configuration mode of the sources of rule updates for the service.

Syntax

auto-upgrade

Required privilege level

15

Command mode

CONFIG-IPS

Example

esr(config-ips)# auto-upgrade

upgrade interval

This command sets the frequency with which the device will check for the updates for IPS/IDS rules and/or IPS/IDS classifier file for this url.

The use of a negative form (no) of the command sets the default value.

Syntax

upgrade interval <HOURS>

no upgrade interval

Parameters

<HOURS> – update interval in hours, from 1 to 240.

Default value

24

Required privilege level

15

Command mode

CONFIG-IPS-UPGRADE-USER-SERVER

Example

esr(config-ips-upgrade-user-server)# upgrade interval 36

url

The command specifies URL link.

The use of a negative form (no) of the command removes the link from the IPS/IDS rule update source configuration.

Syntax

url <URL>

no url

Parameters

<URL> – text field containing URL link of 8-255 characters length.

As an URL-links can be specified:

• rule file with the .rule extension.
• rule classifier file named classification.config
• directory on the server containing rule files and/or rule classifier file.

Required privilege level

15

Command mode

CONFIG-IPS-UPGRADE-USER-SERVER

Example

esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/rules/

user-server

This command sets the name of the user IPS/IDS rule update server and switches to the configuration mode of the user update server settings.

The use of a negative form (no) of the command removes the user IPS/IDS rule update server and all the rules received from this server.

Syntax

user-server <WORD>

no user-server { <WORD> | all }

Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

15

Command mode

CONFIG-IPS-AUTO-UPGRADE

Example

esr(config-ips-auto-upgrade)# user-server ET-Open

User IPS/IDS rules configuration

action

The command specifies the action that should be applied for the traffic meeting this requirements.

The use of a negative form (no) of the command removes an assigned action.

Syntax

action { alert | reject | pass | drop }

no action

Parameters:

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# action reject

destination-address

The command sets destination IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax

destination-address { ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }

no destination-address

Parameters

<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

<OBJ_GR_NAME> – name of IP addresses profile that contains destination IP address, set by the string of up to 31 characters;

destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as destination addresses;

destination-address policy-object-group external – sets external addresses defined in IPS/IDS policy as destination addresses;

When specifying the 'any' value, the rule will be triggered for any source IP address.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# destination-address ip 10.10.10.1

destination-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command removes the assignment.

Syntax

destination-port { any | <PORT> | object-group <OBJ-GR-NAME> }

no destination-port

Parameters

<PORT> – number of destination TCP/UDP port, takes values of [1..65535];

<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# destination-port 22

direction

This command sets traffic direction for which the rule should be triggered.

The use of a negative form (no) of the command removes the assignment.

Syntax

direction { one-way | round-trip }

no direction

Parameters

• one-way – traffic is transmitted in one direction;
• round-trip – traffic is transmitted in both directions.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# direction one-way

ip dscp

This command sets the value of the DSCP code, the traffic of which will be processed in this rule.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip dscp <DSCP>

[no] ip dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip dscp 8

ip ftp command

This command sets the FTP keyword values for which the rule should be triggered.

This command is applicable only for protocol ftp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip ftp command <COMMAND>

[no] ip ftp command

Parameters

<COMMAND> – can take the following values:

• <retr> – download file;
• <stor> – upload file;
• <mkd> – create directory;
• <rmd> – remove directory;
• <appe> – add to the end of the file (with creation);
• <allo> – allocate space on disk;
• <dele> – delete file.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# protocol ftp
esr(config-ips-category-rule)# ip ftp command allo

ip ftp-data command

This command sets the FTP-DATA keyword values for which the rule should be triggered.

This command is applicable only for protocol ftp-data value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip ftp-data command <COMMAND>

[no] ip ftp-data command

Parameters

<COMMAND> – can take the following values:

• <retr> – download file;
• <stor> – upload file;
• <appe> – add to the end of the file (with creation).

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# protocol ftp-data
esr(config-ips-category-rule)# ip ftp-data command stor

ip http

This command sets the HTTP keyword values for which the rule should be triggered.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip http <COMMAND>

[no] ip http

Parameters

<COMMAND> – can take the following values:

• accept;
• accept-enc;
• accept-lang;
• client-body;
• connection;
• content-len;
• content-type;
• cookie;
• file-data;
• header;
• header-names;
• host;
• protocol;
• referer;
• request-line;
• response-line;
• server-body;
• start;
• stat-code;
• stat-msg;
• uri;
• urilen <VALUE>;
• urilen comparison-operator { greater-than | less-than};
• user-agent.

The values and application of the HTTP keywords are detailed described in the SNORT 2.X/Suricata 4.X documentation.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload content «HTTP/1.0»
esr(config-ips-category-rule)# ip http protocol

ip http content-filter

This command is used to assign a content filtering category profile. The current rule will be triggered for http sites that belong to the categories set in this profile.

The content filtering profile must be pre-created.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip http content-filter <NAME>

[no] ip http content-filter

Parameters

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

any – rule will trigger for http sites of any category.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip http content-filter Black-List

ip http method

This command sets the values of the http access method for which the rule should be triggered.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip http method <COMMAND>

[no] ip http method

Parameters

<COMMAND> – can take the following values:

• <GET> – requests a resource submission. Requests using this method can only retrieve data;
• <HEAD> – requests the resource in the same way as the GET method, but without the response body;
• <POST> – is used to send subjects to a specific resource;
• <PUT> – replaces all current resource views with request data;
• <DELETE> – deletes the specified resource;
• <CONNECT> – establishes a «tunnel» to the server defined by the resource;
• <OPTIONS> – used to describe the parameters of the connection to the resource;
• <TRACE> – performs a call of the returned test message from the resource;
• <PATCH> – used to partially modify the resource.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip http method get

ip icmp code

This command sets the ICMP CODE value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip icmp code <CODE>

[no] ip icmp code

Parameters

<CODE> – ICMP CODE value, takes a value in the range [0..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp code 5

ip icmp code comparison-operator

Comparison operator for ip icmp code command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax

ip icmp code comparison-operator { greater-than | less-than }

[no] ip icmp code comparison-operator

Parameters

• greater-than – greater than;
• less-than – less than.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp code 5
esr(config-ips-category-rule)# ip icmp code comparison-operator less-than

ip icmp id

This command sets the ICMP ID value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip icmp id <ID>

[no] ip icmp id

Parameters

<ID> – ICMP ID value, takes a value in the range [0..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp id 65000

ip icmp sequence-id

This command sets the ICMP sequence-ID value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip icmp sequence-id <SEQ-ID>

[no] ip icmp sequence-id

Parameters

<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp sequence-id 8388608

 ip icmp type

This command sets the ICMP TYPE value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip icmp type <TYPE>

[no] ip icmp type

Parameters

<TYPE> – ICMP TYPE value, takes a value in the range [0..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp type 12

ip icmp type comparison-operator

Comparison operator for ip icmp type command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax

ip icmp type comparison-operator { greater-than | less-than }

[no] ip icmp type comparison-operator

Parameters

• greater-than – greater than;
• less-than – less than.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip icmp type 14
esr(config-ips-category-rule)# ip icmp code comparison-operator greater-than

ip protocol-id

This command sets the IP identification number, the traffic of which will be processed in this rule.

This command is applicable only for protocol any value.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip protocol-id <ID>

[no] ip protocol-id

Parameters

<ID> – IP identification number [1..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip protocol-id 250

ip tcp acknowledgment-number

This command sets the TCP Acknowledgment-Number at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip tcp acknowledgment-number <ACK-NUM>

[no] ip tcp acknowledgment-number

Parameters

<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip tcp acknowledgment-number 32

ip tcp sequence-id

This command sets the TCP Sequence-ID value at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip tcp sequence-id <SEQ-ID>

[no] ip tcp sequence-id

Parameters

<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip tcp sequence-id 2542

ip tcp window-size

This command sets the TCP Window Size at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip tcp window-size <SIZE>

[no] ip tcp window-size

Parameters

<SIZE> – TCP Window-Size value, takes a value in the range [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip tcp window-size 50

ip ttl

This command sets the value of the IP packet lifetime, the traffic of which will be processed in this rule.

The use of a negative form (no) of the command cancels the assignment.

Syntax

ip ttl <TTL>

[no] ip ttl

Parameters

<TTL> – IP packet life time, takes value in the range of [1..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip ttl 8

ip ttl comparison-operator

Comparison operator for ip ttl command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax

ip ttl comparison-operator { greater-than | less-than }

[no] ip ttl comparison-operator

Parameters

• greater-than – greater than;
• less-than – less than.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# ip ttl 5
esr(config-ips-category-rule)# ip ttl comparison-operator less-than

meta classification-type

This command defines the classification of the event that the IPS/IDS service will generate when the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax

meta classification-type { not-suspicious | unknown | bad-unknown | attempted-recon | successful-recon-limited | successful-recon-largescale | attempted-dos | successful-dos | attempted-user | unsuccessful-user | successful-user | attempted-admin | successful-admin | rpc-portmap-decode | shellcode-detect | string-detect | suspicious-filename-detect | suspicious-login | system-call-detect | tcp-connection | trojan-activity | unusual-client-port-connection | network-scan | denial-of-service | non-standard-protocol | protocol-command-decode | web-application-activity | web-application-attack | misc-activity | misc-attack | icmp-event | inappropriate-content | policy-violation | default-login-attempt }

[no] meta classification-type

Parameters

• not-suspicious – not suspicious traffic;
• unknown – unknown traffic;
• bad-unknown – potentially bad traffic;
• attempted-recon – information leak attempt;
• successful-recon-limited – information leak;
• successful-recon-largescale – large-scale information leak;
• attempted-dos – denial of service attempt;
• successful-dos – denial of service;
• attempted-user – attempt to obtain user privileges;
• unsuccessful-user – unsuccessful attempt to obtain user privileges;
• successful-user – successful attempt to obtain user privileges;
• successful-admin – successful attempt to obtain admin privileges;
• successful-admin – successful attempt to obtain admin privileges;
• rpc-portmap-decode – RPC request decoding;
• shellcode-detect – executable code detected;
• string-detect – suspicious string detected;
• suspicious-filename-detect – suspicious filename was detected;
• suspicious-login – attempt to log in using a suspicious username was deteceted;
• system-call-detect – system call was detected;
• tcp-connection – TCP connection was detected;
• trojan-activity – network Trojan was detected;
• unusual-client-port-connection – the client used an unusual port;
• network-scan – network scan was detected;
• denial-of-service – denial of service attack was detected;
• non-standard-protocol – custom protocol or event was detected;
• protocol-command-decode – encryption attempt was detected;
• web-application-activity – access to a potentially vulnerable web application;
• web-application-attack – attack on web application;
• misc-activity – other activity;
• misc-attack – other attacks;
• icmp-event – general ICMP event;
• inappropriate-content – inappropriate content was detected;
• policy-violation – potential breach of corporate privacy;
• default-login-attempt – login attempt using a standard login/password.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# meta classification-type misc-attack

meta log-message

This command defines the text message that the IPS/IDS service will generate when the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax

meta log-message <MESSAGE>

[no] mera log-message

Parameters

<MESSAGE> –  text message, specified by a string of up to 128 characters.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# meta log-message «Possible SlowLorys attack»

payload content

This command specifies the contents of IP packets, if matched, the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax

payload content <CONTENT>

[no] payload content <CONTENT>

Parameters

<CONTENT> – text message, specified by a string of up to 1024 characters.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload content «virus»

payload data-size

This command sets the packet content size at which the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax

payload data-size <SIZE>

[no] payload data-size

Parameters

<SIZE> – packet content size, takes values in the range of [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload data-size 1024

payload data-size comparison-operator

Comparison operator for ip icmp type command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax

payload data-size comparison-operator { greater-than | less-than }

[no] payload data-size comparison-operator

Parameters

• greater-than – greater than;
• less-than – less than.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload data-size 1024
esr(config-ips-category-rule)# payload data-size comparison-operator less-than

payload depth

This command indicates how many bytes from the beginning of the packet contents will be checked by this rule. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload offset command.

The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.

Syntax

payload depth <DEPTH>

[no] payload content depth

Parameters

<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 3

Packets with the contents of 'abcdef', 'abc123', 'abcabcabc', etc., will fall under the rule.

payload no-case

This command points not to distinguish uppercase and lowercase letters in the description of package contents. This command is used in conjunction with the payload content command only.

The use of a negative form (no) of the command cancels the assignment.

Syntax

payload no-case

[no] payload content no-case

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload content «virus»
esr(config-ips-category-rule)# payload no-case

Packets with the contents of 'virus', 'VIRUS', 'ViRuS', etc., will fall under the rule.

payload offset

This command specifies the number of offset bytes from the beginning of the contents of the packet from which the check will begin. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload depth command.

The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.

Syntax

payload offset <OFFSET>

[no] payload content offset

Parameters

<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 6
esr(config-ips-category-rule)# payload offset 3

Packets with the contents of '123abcdef', 'defabc', 'abcabcabc', etc., will fall under the rule.

protocol

The command sets name of IP for which the rule should work. The use of a negative form (no) of the command cancels the assignment.

Syntax

protocol { any | ip | icmp | http | tcp | udp }

[no] protocol

Parameters

• any – the rule will be triggered for any protocols;
• ip – the rule will be triggered for ip. You can configure additional filtering in the rule with the ip protocol-id command;
• icmp – the rule will be triggered for icmp. When this option is selected, the values of source-port and destination-port must be any. You can configure additional filtering in the rule with the ip icmp commands;
• http – the rule will be triggered for http. You can configure additional filtering in the rule with the ip http commands;
• tсp – the rule will be triggered for tсp. You can configure additional filtering in the rule with the ip tcp commands;
• udp – the rule will be triggered for udp. You can configure additional filtering in the rule with the ip udp commands;
• ftp – the rule will be triggered for ftp; You can configure additional filtering in the rule with the ip ftp commands;
• ftp-data – the rule will be triggered for ftp data field; You can configure additional filtering in the rule with the ip ftp-data commands;

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# protocol udp

rule

The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE configuration mode. The rules are proceeded by the device in number ascending order.

The use of a negative form (no) of the command removes a specified rule.

Syntax

[no] rule <ORDER>

Parameters

<ORDER>  – rule number, takes values of [1..512].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY

Example

esr(config-ips-category)# rule 10
esr(config-ips-category-rule)#

security ips-category user-defined

This command creates a set of IPS/IDS service user rules with a specific name and switches to the configuration mode of this set.

The use of a negative form (no) of the command removes the configured policy of the IPS service settings.

Syntax

[no] security ips-category user-defined <CATEGORY_NAME>

Parameters

<CATEGORY_NAME> – name of the set of IPS/IDS service user rules, specified by a string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# security ips-category user-defined PROTOCOL
esr(config-ips-category)#

source-address

The command sets source IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax

source-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }

no source-address

Parameters

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.

destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as source addresses

destination-address policy-object-group external –sets external addresses defined in IPS/IDS policy as source addresses

When specifying the 'any' value, the rule will be triggered for any source IP address.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# source-address ip-prefix 192.168.0.0/16

source-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command removes the assignment.

Syntax

source-port { any | <PORT> | object-group <OBJ-GR-NAME> }

no source-port

Parameters

<PORT> – number of source TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# source-port 22

threshold count

This command specifies the threshold number of packets at which the rule will be triggered.

The use of a negative form (no) of the command removes the assignment.

Syntax

threshold count <COUNT>

[no] threshold count 

Parameters

<COUNT> – number of packets, takes values in the range of [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# threshold count 1024

threshold second

This command sets the time interval for which the threshold value is considered. packets at which the rule will be triggered. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax

threshold second <SECOND>

[no] threshold second

Parameters

<SECOND> – time interval in seconds, takes values in the range of [1..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# threshold second 1

threshold track

This command sets that packets for which threshold values are set will be considered at the address of the sender or recipient. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax

threshold track { by-src | by-dst }

[no] threshold track

Parameters

• by-src – read threshold value for packets with the same IP sender;
• by-dst – read threshold value for packets with the same IP recipient.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# threshold track by-src

threshold type

This command sets the threshold processing method. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax

threshold type { treshhold | limit | both }

[no] threshold type

Parameters

• threshold – display a message every time a threshold is reached;
• limit – issue a message no more than <COUNT> times per time interval <SECOND>;
• both – threshold and limit combination. A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the time interval;

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example

esr(config-ips-category-rule)# threshold count 1024
esr(config-ips-category-rule)# threshold second 1
esr(config-ips-category-rule)# threshold track by-src
esr(config-ips-category-rule)# threshold type treshold

A message will be generated for every X*1025 packet arriving in 1 second from one IP address.

Extended user rules configuration

rule-advanced

The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE-ADVANCED configuration mode. The rules are proceeded by the device in number ascending order.

The use of a negative form (no) of the command removes a specified rule.

Syntax

[no] rule-advanced <ORDER>

Parameters

<ORDER> – rule number, takes values of [1..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE-ADVANCED

Example

esr(config-ips-category)# rule-advanced 10
esr(config-ips-category-rule-advanced)#

rule-text

This command describes the traffic processing rule in SNORT 2.X/Suricata 4.X format

The use of a negative form (no) of the command cancels the assignment.

Syntax

rule-text <LINE>

[no] rule-text

Parameters

<LINE> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters.

When writing rules, the symbol '' needs to be replaced with the symbol '.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE-ADVANCED

Example

esr(config-ips-category-rule-advanced)# rule-text «alert tcp any any -> $HOME_NET any (msg: 'ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet'; flow: established, to_server; content:'_auth'; depth: 20; fast_pattern; content: !'|02 00 00 00|'; within: 4; content: '_ctrl'; content: '_ser'; content: '_tim'; content: '_exp'; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000005; rev: 3; )»