Intrusion Prevention System (IPS/IDS) configuration
IPS/IDS general commands
description
This command changes the description.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-IPS-CATEGORY
CONFIG-IPS-CATEGORY-RULE
CONFIG-IPS-CATEGORY-RULE-ADVANCED
CONFIG-IPS-POLICY
CONFIG-IPS-UPGRADE-USER-SERVER
CONFIG-CONTENT-PROVIDER
Example
esr(config-ips-upgrade-user-server)# description "Etnetera aggressive IP blacklist"
enable
This command activates the IPS/IDS service and its rules.
The use of a negative form (no) of the command deactivates the IPS/IDS service.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
IPS/IDS service is not activated.
Required privilege level
15
Command mode
CONFIG-IPS
CONFIG-IPS-CATEGORY-RULE
CONFIG-IPS-CATEGORY-RULE-ADVANCED
CONFIG-CONTENT-PROVIDER
Example
esr(config-ips)# enable
show security ips content-provider
This command allows to view information about updates of IPS/IDS rules distributed under a commercial license.
Syntax
show security ips content-provider
Required privilege level
10
Command mode
ROOT
Example
esr# show security ips content-provider
Server: content-provider
Last MD5 of received files: 93633ab9a73248ea50d58c25b1ac806c
Next update: 06 October 2020 12:27:40
show security ips content-provider rules-info
This command allows to view information about categories of IPS/IDS rules available under the current commercial license. If there is no valid license, the list will be empty.
Syntax
show security ips content-provider rules-info
Required privilege level
10
Command mode
ROOT
Example
esr# show security ips content-provider rules-info
Vendor : kaspersky
Category : IoTURLsDF
Count of rules : 8000
Description : Kasperksy Lab IoTURLsDF feed
IoTURLsDF URL feed - a set of URLs with context covering malware that infects IoT (Internet of Things) devices
Category : MaliciousHashDF
Count of rules : 1
Description : Kasperksy Lab MaliciousHashDF feed
Malicious Hash feed - a set of hashes of malicious objects
Category : PhishingURLsDF
Count of rules : 11167
Description : Kasperksy Lab PhishingURLsDF feed
Phishing URL feed - a set of URLs with context that cover phishing websites and web pages
show security ips counters
This command scans IPS/IDS service counters.
Syntax
show security ips counters
Required privilege level
10
Command mode
ROOT
Example
esr# show security ips counters
TCP flows processed : 34687
Alerts generated : 456
Blocked by ips engine : 78
Accepted by ips engine : 1356436
show security ips user-server
This command allows to view information about IPS/IDS rule updates from user update servers.
Syntax
show security ips user-server [<WORD>]
Parameters
<WORD> – server name, specified by the string from 1 to 64 characters long.
Required privilege level
10
Command mode
ROOT
Example
esr# sh security ips user-server
Server name Files MD5 Next update
-------------------------------- -------------------------------- --------------------------------
content-provider 93633ab9a73248ea50d58c25b1ac806c 06 October 2020 12:27:40
TH 919f51bdf44052bfc0953362aef11c0d 06 October 2020 12:36:40
Traffic-ID e5e2f6472a397227c0d96f5df430a207 06 October 2020 12:36:40
Aggressive cfc3547b50f3f9fec366ba5a1e51cd1f 06 October 2020 12:36:40
JA3-Fingerprint 439aa6e57c66826b92337672937d505b 05 October 2020 16:51:40
C2-Botnet 39e118bd3884b3dc1df4ca3a03c05df1 05 October 2020 16:51:40
SSL-BlackList 1d9c969f25791b9ee8c8c0ab8449d849 05 October 2020 16:51:40
ET-Open d53d92248a1f7cdc040d669a76cf27bc 06 October 2020 12:36:40
update security ips content-provider rules
This command initiates a forced update of IPS/IDS rules distributed under a commercial license.
The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.
Syntax
update security ips content-provider rules
Required privilege level
15
Command mode: update security ips content-provider rules
ROOT
Example
esr# update security ips content-provider rules
update security ips content-provider rules-info
This command initiates a forced request for information about categories of IPS/IDS rules available under the current commercial license.
The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.
Syntax
update security ips content-provider rules-info
Required privilege level
15
Command mode
ROOT
Example
esr# update security ips content-provider rules-info
update security ips user-server rules
This command initiates a forced update of IPS/IDS rules from the user update server.
The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.
Syntax
update security ips user-server rules <WORD>
Parameters
<WORD> – server name, specified by the string from 1 to 64 characters long.
Required privilege level
15
Command mode
ROOT
Example
esr# update security ips user-server rules ET-Open
IPS/IDS policy configuration
category
This command specifies the category of IPS/IDS rules of a particular vendor, distributed under a commercial license, and enters the configuration mode for that category
The use of a negative form (no) of the command removes the configured category from the IPS/IDS service settings.
Syntax
category <CATEGORY>
no category { <CATEGORY> | all }
Parameters
<CATEGORY> – rule category.
You can see the list of available categories in the context tooltip or with a command:
show security ips content-provider rules-info
Required privilege level
15
Command mode
CONFIG-IPS-VENDOR
Example
esr(config-ips-vendor)# category MobileBotnetCAndCDF
external network-group
This command sets the IP address profile, which the IPS/IDS service will consider unreliable.
The IP address profile must be pre-created.
The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.
Syntax
external network-group <OBJ-GROUP-NETWORK-NAME>
no external network-group
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPS-POLICY
Example
esr(config-ips-policy)# external network-group WAN
protect network-group
This command sets the IP address profile that the IPS/IDS service will protect.
The IP address profile must be pre-created.
The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.
Syntax
protect network-group <OBJ-GROUP-NETWORK-NAME>
no protect network-group
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPS-POLICY
Example
esr(config-ips-policy)# protect network-group LAN
rules action
The command specifies the action that should be applied for the traffic meeting rules of this category.
The use of a negative form (no) of the command removes an assigned action.
The command applies only to rules distributed under a commercial license.
Syntax
rules action { alert | reject | pass | drop }
no rules action
Parameters:
- alert – traffic is allowed and the IPS/IDS service generates a message;
- reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
- pass – traffic transfer is permitted;
- drop – traffic is prohibited and the IPS/IDS service generates a message.
Required privilege level
15
Command mode
CONFIG-IPS-VENDOR-CATEGORY
Example
esr(config-ips-vendor-category)# rules action drop
rules count
This command specifies the effective number of rules of a given category that the IPS/IDS system will operate with
The use of a negative form (no) of the command removes an assigned action.
The command applies only to rules distributed under a commercial license.
Syntax
rules count <COUNT>
no rules count
Parameters:
<COUNT> – number of rules. The minimum value is 1, the maximum value depends on the category of rules.
The maximum number of rules by category can be seen in the context hint or with the command:
show security ips content-provider rules-info
Required privilege level
15
Command mode
CONFIG-IPS-VENDOR-CATEGORY
Example
esr(config-ips-vendor-category)# rules count 8000
security ips policy
This command creates an IPS/IDS service settings policy with a specific name and switches to the policy configuration mode.
The use of a negative form (no) of the command removes the configured policy of the IPS/IDS service settings.
Syntax
[no] security ips policy <POLICY_NAME>
Parameters
<POLICY_NAME> – IPS/IDS service policy name, specified by a string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# security ips policy OFFICE
vendor
This command identifies the vendor of IPS/IDS rules distributed under a commercial license and enters the configuration mode for that vendor.
The use of a negative form (no) of the command removes the configured vendor from the IPS/IDS service settings.
Syntax
vendor <VENDOR>
no vendor <CATEGORY>
Parameters
<VENDOR> – rule vendor.
You can see the list of available vendors in the context tooltip or with a command:
show security ips content-provider rules-info
Required privilege level
15
Command mode
CONFIG-IPS-POLICY
Example
esr(config-ips-policy)# vendor kaspersky
IPS configuration
logging ips severity
This command sets the message severity level for logging IPS/IDS events.
The use of a negative form (no) of the command sets the default value.
Syntax
logging ips severity <SEVERITY>
no logging ips severity
Parameters
<SEVERITY> – message importance level, takes values (in order of decreasing importance):
- emerg – critical error has occurred in the system, the system is not operational;
- alert – alarms, immediate intervention by staff;
- crit – critical system status, event reporting;
- error – error messages;
- warning – warnings, non-emergency messages;
- notice – messages about important system events;
- info – system information messages;
- debug – debugging messages provide the user with information to correctly configure the system;
- none – disables the output of syslog messages to the console.
Default value
info
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# logging ips severity error
logging storage-path
This command sets the name and path of the directory on the external drive to which the log files of the IPS/IDS service in the EVE format (elasticsearch) will be written.
The use of a negative form (no) of the command stops recording log files.
Syntax
logging storage-path <PATH>
no logging storage-path
Parameters
<PATH> – the name and path of the directory on the external drive in format of:
usb://usb_name:/[FILE]/
mmc://mmc_name:/[FILE]/
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# logging storage-path usb://DATA/Log/
security ips
This command creates an IPS/IDS service profile and switch to its configuration mode.
Syntax
security ips
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# security ips
performance max
This command allows the IPS/IDS service to use all of the device’s resources for maximum performance. It is recommended to use when the device is used exclusively as IPS/IDS. It is not recommended to use when, in addition to IPS/IDS, the device performs other functions (routing, BRAS, etc.).
The use of a negative form (no) of the command frees up part of the device’s resources for use by other services.
Syntax
[no] performance max
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# perfomance max
policy
This command assigns the previously created IPS/IDS service settings policy.
The use of a negative form (no) of the command removes the assigned policy of the IPS/IDS service settings.
Syntax
policy <POLICY_NAME>
no policy
Parameters
<POLICY_NAME> – IPS service policy name, specified by a string of up to 32 characters.
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# policy OFFICE
service-ips enable
This command is used to enable the IPS/IDS service on the network interface.
The use of a negative form (no) of the command disables the IPS/IDS service on the network interface.
Syntax
[no] service-ips enable
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
Example
esr(config-if-gi)# service-ips enable
Configuring auto-updating of IPS/IDS rules distributed under a commercial license
content-provider
This command switches to the configuration mode of the source of rule updates distributed under a commercial license.
Syntax
content-provider
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# content-provider
host address
This command specifies the address of the server for rule updates distributed under a commercial license.
Syntax
host address { <ADDR> | <IPV6-ADDR> | <HOSTNAME> }
Parameters
<ADDR> – device IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IPV6-ADDR> – device IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];
<HOSTNAME> – user DNS name, set by the string of up to 255 characters;
Required privilege level
15
Command mode
CONFIG-CONTENT-PROVIDER
Example
esr(config-content-provider)# host address edm.eltex-co.ru
host port
This command specifies the TCP port number of the server for rule updates distributed under a commercial license.
Syntax
host port <PORT>
Parameters
<PORT> – TCP port number, may take values [1..65535];
Required privilege level
15
Command mode
CONFIG-CONTENT-PROVIDER
Example
esr(config-content-provider)# host port 8098
reboot
This command sets the time to reboot the device when the system license is received. The device reboots the first time it connects to a commercially licensed rule update server.
If you have an already operating IPS/IDS license, there is no reboot.
Syntax
reboot { immediately | time <TIME> }
Parameters
immediately – reboot immediately after receiving a license;
time <TIME> – restart at a specified time <TIME>;
<TIME> – reboot time in format of HH:MM:SS.
Required privilege level
15
Command mode
CONFIG-CONTENT-PROVIDER
Example
esr(config-content-provider)# reboot time 05:00:00
storage-device
This command specifies the name of the external drive on which encrypted IPS/IDS rules distributed under a commercial license will be stored.
The use of a negative form (no) of the command stops rule saving.
Syntax
storage-device <PATH>
no storage-device
Parameters
<PATH> – name of external drive in format of:
usb://usb_name:/
mmc://mmc_name:/
Required privilege level
15
Command mode
CONFIG-CONTENT-PROVIDER
Example
esr(config-content-provider)# storage-device usb://DATA
upgrade interval
The command specifies the frequency with which the device will check for updates of IPS/IDS rules distributed under a commercial license.
The use of a negative form (no) of the command sets the default value.
Syntax
upgrade interval <HOURS>
no upgrade interval
Parameters
<HOURS> – update interval in hours, from 1 to 240.
Default value
24
Required privilege level
15
Command mode
CONFIG-CONTENT-PROVIDER
Example
esr(config-content-provider)# upgrade interval 36
Configuration of IPS/IDS rules autoupdate from external sources
auto-upgrade
This command switches to the configuration mode of the sources of rule updates for the service.
Syntax
auto-upgrade
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# auto-upgrade
upgrade interval
This command sets the frequency with which the device will check for the updates for IPS/IDS rules and/or IPS/IDS classifier file for this url.
The use of a negative form (no) of the command sets the default value.
Syntax
upgrade interval <HOURS>
no upgrade interval
Parameters
<HOURS> – update interval in hours, from 1 to 240.
Default value
24
Required privilege level
15
Command mode
CONFIG-IPS-UPGRADE-USER-SERVER
Example
esr(config-ips-upgrade-user-server)# upgrade interval 36
url
The command specifies URL link.
The use of a negative form (no) of the command removes the link from the IPS/IDS rule update source configuration.
Syntax
url <URL>
no url
Parameters
<URL> – text field containing URL link of 8-255 characters length.
As an URL-links can be specified:
- rule file with the .rule extension.
- rule classifier file named classification.config
- directory on the server containing rule files and/or rule classifier file.
Required privilege level
15
Command mode
CONFIG-IPS-UPGRADE-USER-SERVER
Example
esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/rules/
user-server
This command sets the name of the user IPS/IDS rule update server and switches to the configuration mode of the user update server settings.
The use of a negative form (no) of the command removes the user IPS/IDS rule update server and all the rules received from this server.
Syntax
user-server <WORD>
no user-server { <WORD> | all }
Parameters
<WORD> – server name, specified by the string from 1 to 64 characters long.
Required privilege level
15
Command mode
CONFIG-IPS-AUTO-UPGRADE
Example
esr(config-ips-auto-upgrade)# user-server ET-Open
User IPS/IDS rules configuration
action
The command specifies the action that should be applied for the traffic meeting this requirements.
The use of a negative form (no) of the command removes an assigned action.
Syntax
action { alert | reject | pass | drop }
no action
Parameters:
- alert – traffic is allowed and the IPS/IDS service generates a message;
- reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
- pass – traffic transfer is permitted;
- drop – traffic is prohibited and the IPS/IDS service generates a message.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# action reject
destination-address
The command sets destination IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
destination-address { ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no destination-address
Parameters
<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
<OBJ_GR_NAME> – name of IP addresses profile that contains destination IP address, set by the string of up to 31 characters;
destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as destination addresses;
destination-address policy-object-group external – sets external addresses defined in IPS/IDS policy as destination addresses;
When specifying the 'any' value, the rule will be triggered for any source IP address.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# destination-address ip 10.10.10.1
destination-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command removes the assignment.
Syntax
destination-port { any | <PORT> | object-group <OBJ-GR-NAME> }
no destination-port
Parameters
<PORT> – number of destination TCP/UDP port, takes values of [1..65535];
<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# destination-port 22
direction
This command sets traffic direction for which the rule should be triggered.
The use of a negative form (no) of the command removes the assignment.
Syntax
direction { one-way | round-trip }
no direction
Parameters
- one-way – traffic is transmitted in one direction;
- round-trip – traffic is transmitted in both directions.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# direction one-way
ip dscp
This command sets the value of the DSCP code, the traffic of which will be processed in this rule.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip dscp <DSCP>
[no] ip dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip dscp 8
ip ftp command
This command sets the FTP keyword values for which the rule should be triggered.
This command is applicable only for protocol ftp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip ftp command <COMMAND>
[no] ip ftp command
Parameters
<COMMAND> – can take the following values:
- <retr> – download file;
- <stor> – upload file;
- <mkd> – create directory;
- <rmd> – remove directory;
- <appe> – add to the end of the file (with creation);
- <allo> – allocate space on disk;
- <dele> – delete file.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# protocol ftp
esr(config-ips-category-rule)# ip ftp command allo
ip ftp-data command
This command sets the FTP-DATA keyword values for which the rule should be triggered.
This command is applicable only for protocol ftp-data value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip ftp-data command <COMMAND>
[no] ip ftp-data command
Parameters
<COMMAND> – can take the following values:
- <retr> – download file;
- <stor> – upload file;
- <appe> – add to the end of the file (with creation).
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# protocol ftp-data
esr(config-ips-category-rule)# ip ftp-data command stor
ip http
This command sets the HTTP keyword values for which the rule should be triggered.
This command is applicable only for protocol http value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip http <COMMAND>
[no] ip http
Parameters
<COMMAND> – can take the following values:
- accept;
- accept-enc;
- accept-lang;
- client-body;
- connection;
- content-len;
- content-type;
- cookie;
- file-data;
- header;
- header-names;
- host;
- protocol;
- referer;
- request-line;
- response-line;
- server-body;
- start;
- stat-code;
- stat-msg;
- uri;
- urilen <VALUE>;
- urilen comparison-operator { greater-than | less-than};
- user-agent.
The values and application of the HTTP keywords are detailed described in the SNORT 2.X/Suricata 4.X documentation.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «HTTP/1.0»
esr(config-ips-category-rule)# ip http protocol
ip http content-filter
This command is used to assign a content filtering category profile. The current rule will be triggered for http sites that belong to the categories set in this profile.
The content filtering profile must be pre-created.
This command is applicable only for protocol http value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip http content-filter <NAME>
[no] ip http content-filter
Parameters
<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.
any – rule will trigger for http sites of any category.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip http content-filter Black-List
ip http method
This command sets the values of the http access method for which the rule should be triggered.
This command is applicable only for protocol http value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip http method <COMMAND>
[no] ip http method
Parameters
<COMMAND> – can take the following values:
- <GET> – requests a resource submission. Requests using this method can only retrieve data;
- <HEAD> – requests the resource in the same way as the GET method, but without the response body;
- <POST> – is used to send subjects to a specific resource;
- <PUT> – replaces all current resource views with request data;
- <DELETE> – deletes the specified resource;
- <CONNECT> – establishes a «tunnel» to the server defined by the resource;
- <OPTIONS> – used to describe the parameters of the connection to the resource;
- <TRACE> – performs a call of the returned test message from the resource;
- <PATCH> – used to partially modify the resource.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip http method get
ip icmp code
This command sets the ICMP CODE value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp code <CODE>
[no] ip icmp code
Parameters
<CODE> – ICMP CODE value, takes a value in the range [0..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp code 5
ip icmp code comparison-operator
Comparison operator for ip icmp code command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip icmp code comparison-operator { greater-than | less-than }
[no] ip icmp code comparison-operator
Parameters
- greater-than – greater than;
- less-than – less than.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp code 5
esr(config-ips-category-rule)# ip icmp code comparison-operator less-than
ip icmp id
This command sets the ICMP ID value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp id <ID>
[no] ip icmp id
Parameters
<ID> – ICMP ID value, takes a value in the range [0..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp id 65000
ip icmp sequence-id
This command sets the ICMP sequence-ID value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp sequence-id <SEQ-ID>
[no] ip icmp sequence-id
Parameters
<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp sequence-id 8388608
ip icmp type
This command sets the ICMP TYPE value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp type <TYPE>
[no] ip icmp type
Parameters
<TYPE> – ICMP TYPE value, takes a value in the range [0..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp type 12
ip icmp type comparison-operator
Comparison operator for ip icmp type command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip icmp type comparison-operator { greater-than | less-than }
[no] ip icmp type comparison-operator
Parameters
- greater-than – greater than;
- less-than – less than.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp type 14
esr(config-ips-category-rule)# ip icmp code comparison-operator greater-than
ip protocol-id
This command sets the IP identification number, the traffic of which will be processed in this rule.
This command is applicable only for protocol any value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip protocol-id <ID>
[no] ip protocol-id
Parameters
<ID> – IP identification number [1..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip protocol-id 250
ip tcp acknowledgment-number
This command sets the TCP Acknowledgment-Number at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp acknowledgment-number <ACK-NUM>
[no] ip tcp acknowledgment-number
Parameters
<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp acknowledgment-number 32
ip tcp sequence-id
This command sets the TCP Sequence-ID value at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp sequence-id <SEQ-ID>
[no] ip tcp sequence-id
Parameters
<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp sequence-id 2542
ip tcp window-size
This command sets the TCP Window Size at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp window-size <SIZE>
[no] ip tcp window-size
Parameters
<SIZE> – TCP Window-Size value, takes a value in the range [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp window-size 50
ip ttl
This command sets the value of the IP packet lifetime, the traffic of which will be processed in this rule.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip ttl <TTL>
[no] ip ttl
Parameters
<TTL> – IP packet life time, takes value in the range of [1..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip ttl 8
ip ttl comparison-operator
Comparison operator for ip ttl command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip ttl comparison-operator { greater-than | less-than }
[no] ip ttl comparison-operator
Parameters
- greater-than – greater than;
- less-than – less than.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip ttl 5
esr(config-ips-category-rule)# ip ttl comparison-operator less-than
meta classification-type
This command defines the classification of the event that the IPS/IDS service will generate when the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
meta classification-type { not-suspicious | unknown | bad-unknown | attempted-recon | successful-recon-limited | successful-recon-largescale | attempted-dos | successful-dos | attempted-user | unsuccessful-user | successful-user | attempted-admin | successful-admin | rpc-portmap-decode | shellcode-detect | string-detect | suspicious-filename-detect | suspicious-login | system-call-detect | tcp-connection | trojan-activity | unusual-client-port-connection | network-scan | denial-of-service | non-standard-protocol | protocol-command-decode | web-application-activity | web-application-attack | misc-activity | misc-attack | icmp-event | inappropriate-content | policy-violation | default-login-attempt }
[no] meta classification-type
Parameters
- not-suspicious – not suspicious traffic;
- unknown – unknown traffic;
- bad-unknown – potentially bad traffic;
- attempted-recon – information leak attempt;
- successful-recon-limited – information leak;
- successful-recon-largescale – large-scale information leak;
- attempted-dos – denial of service attempt;
- successful-dos – denial of service;
- attempted-user – attempt to obtain user privileges;
- unsuccessful-user – unsuccessful attempt to obtain user privileges;
- successful-user – successful attempt to obtain user privileges;
- successful-admin – successful attempt to obtain admin privileges;
- successful-admin – successful attempt to obtain admin privileges;
- rpc-portmap-decode – RPC request decoding;
- shellcode-detect – executable code detected;
- string-detect – suspicious string detected;
- suspicious-filename-detect – suspicious filename was detected;
- suspicious-login – attempt to log in using a suspicious username was deteceted;
- system-call-detect – system call was detected;
- tcp-connection – TCP connection was detected;
- trojan-activity – network Trojan was detected;
- unusual-client-port-connection – the client used an unusual port;
- network-scan – network scan was detected;
- denial-of-service – denial of service attack was detected;
- non-standard-protocol – custom protocol or event was detected;
- protocol-command-decode – encryption attempt was detected;
- web-application-activity – access to a potentially vulnerable web application;
- web-application-attack – attack on web application;
- misc-activity – other activity;
- misc-attack – other attacks;
- icmp-event – general ICMP event;
- inappropriate-content – inappropriate content was detected;
- policy-violation – potential breach of corporate privacy;
- default-login-attempt – login attempt using a standard login/password.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# meta classification-type misc-attack
meta log-message
This command defines the text message that the IPS/IDS service will generate when the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
meta log-message <MESSAGE>
[no] mera log-message
Parameters
<MESSAGE> – text message, specified by a string of up to 128 characters.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# meta log-message «Possible SlowLorys attack»
payload content
This command specifies the contents of IP packets, if matched, the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload content <CONTENT>
[no] payload content <CONTENT>
Parameters
<CONTENT> – text message, specified by a string of up to 1024 characters.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «virus»
payload data-size
This command sets the packet content size at which the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload data-size <SIZE>
[no] payload data-size
Parameters
<SIZE> – packet content size, takes values in the range of [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload data-size 1024
payload data-size comparison-operator
Comparison operator for ip icmp type command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
payload data-size comparison-operator { greater-than | less-than }
[no] payload data-size comparison-operator
Parameters
- greater-than – greater than;
- less-than – less than.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload data-size 1024
esr(config-ips-category-rule)# payload data-size comparison-operator less-than
payload depth
This command indicates how many bytes from the beginning of the packet contents will be checked by this rule. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload offset command.
The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.
Syntax
payload depth <DEPTH>
[no] payload content depth
Parameters
<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 3
Packets with the contents of 'abcdef', 'abc123', 'abcabcabc', etc., will fall under the rule.
payload no-case
This command points not to distinguish uppercase and lowercase letters in the description of package contents. This command is used in conjunction with the payload content command only.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload no-case
[no] payload content no-case
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «virus»
esr(config-ips-category-rule)# payload no-case
Packets with the contents of 'virus', 'VIRUS', 'ViRuS', etc., will fall under the rule.
payload offset
This command specifies the number of offset bytes from the beginning of the contents of the packet from which the check will begin. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload depth command.
The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.
Syntax
payload offset <OFFSET>
[no] payload content offset
Parameters
<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 6
esr(config-ips-category-rule)# payload offset 3
Packets with the contents of '123abcdef', 'defabc', 'abcabcabc', etc., will fall under the rule.
protocol
The command sets name of IP for which the rule should work. The use of a negative form (no) of the command cancels the assignment.
Syntax
protocol { any | ip | icmp | http | tcp | udp }
[no] protocol
Parameters
- any – the rule will be triggered for any protocols;
- ip – the rule will be triggered for ip. You can configure additional filtering in the rule with the ip protocol-id command;
- icmp – the rule will be triggered for icmp. When this option is selected, the values of source-port and destination-port must be any. You can configure additional filtering in the rule with the ip icmp commands;
- http – the rule will be triggered for http. You can configure additional filtering in the rule with the ip http commands;
- tсp – the rule will be triggered for tсp. You can configure additional filtering in the rule with the ip tcp commands;
- udp – the rule will be triggered for udp. You can configure additional filtering in the rule with the ip udp commands;
- ftp – the rule will be triggered for ftp; You can configure additional filtering in the rule with the ip ftp commands;
- ftp-data – the rule will be triggered for ftp data field; You can configure additional filtering in the rule with the ip ftp-data commands;
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# protocol udp
rule
The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE configuration mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..512].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY
Example
esr(config-ips-category)# rule 10
esr(config-ips-category-rule)#
security ips-category user-defined
This command creates a set of IPS/IDS service user rules with a specific name and switches to the configuration mode of this set.
The use of a negative form (no) of the command removes the configured policy of the IPS service settings.
Syntax
[no] security ips-category user-defined <CATEGORY_NAME>
Parameters
<CATEGORY_NAME> – name of the set of IPS/IDS service user rules, specified by a string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# security ips-category user-defined PROTOCOL
esr(config-ips-category)#
source-address
The command sets source IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
source-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no source-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].
<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.
destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as source addresses
destination-address policy-object-group external –sets external addresses defined in IPS/IDS policy as source addresses
When specifying the 'any' value, the rule will be triggered for any source IP address.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# source-address ip-prefix 192.168.0.0/16
source-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command removes the assignment.
Syntax
source-port { any | <PORT> | object-group <OBJ-GR-NAME> }
no source-port
Parameters
<PORT> – number of source TCP/UDP port, takes values of [1..65535].
<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# source-port 22
threshold count
This command specifies the threshold number of packets at which the rule will be triggered.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold count <COUNT>
[no] threshold count
Parameters
<COUNT> – number of packets, takes values in the range of [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold count 1024
threshold second
This command sets the time interval for which the threshold value is considered. packets at which the rule will be triggered. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold second <SECOND>
[no] threshold second
Parameters
<SECOND> – time interval in seconds, takes values in the range of [1..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold second 1
threshold track
This command sets that packets for which threshold values are set will be considered at the address of the sender or recipient. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold track { by-src | by-dst }
[no] threshold track
Parameters
- by-src – read threshold value for packets with the same IP sender;
- by-dst – read threshold value for packets with the same IP recipient.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold track by-src
threshold type
This command sets the threshold processing method. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold type { treshhold | limit | both }
[no] threshold type
Parameters
- threshold – display a message every time a threshold is reached;
- limit – issue a message no more than <COUNT> times per time interval <SECOND>;
- both – threshold and limit combination. A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the time interval;
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold count 1024
esr(config-ips-category-rule)# threshold second 1
esr(config-ips-category-rule)# threshold track by-src
esr(config-ips-category-rule)# threshold type treshold
A message will be generated for every X*1025 packet arriving in 1 second from one IP address.
Extended user rules configuration
rule-advanced
The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE-ADVANCED configuration mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule-advanced <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE-ADVANCED
Example
esr(config-ips-category)# rule-advanced 10
esr(config-ips-category-rule-advanced)#
rule-text
This command describes the traffic processing rule in SNORT 2.X/Suricata 4.X format
The use of a negative form (no) of the command cancels the assignment.
Syntax
rule-text <LINE>
[no] rule-text
Parameters
<LINE> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters.
When writing rules, the symbol '' needs to be replaced with the symbol '.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE-ADVANCED
Example
esr(config-ips-category-rule-advanced)# rule-text «alert tcp any any -> $HOME_NET any (msg: 'ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet'; flow: established, to_server; content:'_auth'; depth: 20; fast_pattern; content: !'|02 00 00 00|'; within: 4; content: '_ctrl'; content: '_ser'; content: '_tim'; content: '_exp'; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000005; rev: 3; )»