IPS/IDS general commands

description

This command changes the description.

The use of a negative form (no) of the command removes description.

Syntax
description <DESCRIPTION>
no description
Parameters

<DESCRIPTION> – description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-IPS-CATEGORY

CONFIG-IPS-CATEGORY-RULE

CONFIG-IPS-CATEGORY-RULE-ADVANCED

CONFIG-IPS-POLICY

CONFIG-IPS-UPGRADE-USER-SERVER

CONFIG-CONTENT-PROVIDER

Example
esr(config-ips-upgrade-user-server)# description "Etnetera aggressive IP blacklist"
CODE

enable

This command activates the IPS/IDS service and its rules.

The use of a negative form (no) of the command deactivates the IPS/IDS service.

Syntax
[no] enable
Parameters

The command does not contain parameters.

Default value

IPS/IDS service is not activated.

Required privilege level

15

Command mode

CONFIG-IPS

CONFIG-IPS-CATEGORY-RULE

CONFIG-IPS-CATEGORY-RULE-ADVANCED

CONFIG-CONTENT-PROVIDER

Example
esr(config-ips)# enable
CODE

show security ips content-provider

This command allows to view information about updates of IPS/IDS rules distributed under a commercial license.

Syntax
show security ips content-provider
Required privilege level

10

Command mode

ROOT

Example
esr# show security ips content-provider 
 Server: content-provider
 		Last MD5 of received files:        93633ab9a73248ea50d58c25b1ac806c
 		Next update: 06 October 2020 12:27:40
CODE

show security ips content-provider rules-info

This command allows to view information about categories of IPS/IDS rules available under the current commercial license. If there is no valid license, the list will be empty.

Syntax
show security ips content-provider rules-info
Required privilege level

10

Command mode

ROOT

Example
esr# show security ips content-provider rules-info 
Vendor : kaspersky
    Category : IoTURLsDF
        Count of rules : 8000
        Description : Kasperksy Lab IoTURLsDF feed
		      IoTURLsDF URL feed - a set of URLs with context covering malware that infects IoT (Internet of Things) devices
    Category : MaliciousHashDF
        Count of rules : 1
        Description : Kasperksy Lab MaliciousHashDF feed
		      Malicious Hash feed - a set of hashes of malicious objects
    Category : PhishingURLsDF
        Count of rules : 11167
        Description : Kasperksy Lab PhishingURLsDF feed
		      Phishing URL feed - a set of URLs with context that cover phishing websites and web pages
CODE

show security ips counters

This command scans IPS/IDS service counters.

Syntax
show security ips counters
Required privilege level

10

Command mode

ROOT

Example
esr# show security ips counters
TCP flows processed : 34687
Alerts generated : 456
Blocked by ips engine : 78
Accepted by ips engine : 1356436
CODE

show security ips user-server

This command allows to view information about IPS/IDS rule updates from user update servers.

Syntax
show security ips user-server [<WORD>]
Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

10

Command mode

ROOT

Example
esr# sh security ips user-server 
Server name                        Files MD5                          Next update                        
--------------------------------   --------------------------------   --------------------------------   
content-provider                   93633ab9a73248ea50d58c25b1ac806c   06 October 2020 12:27:40           
TH                                 919f51bdf44052bfc0953362aef11c0d   06 October 2020 12:36:40           
Traffic-ID                         e5e2f6472a397227c0d96f5df430a207   06 October 2020 12:36:40           
Aggressive                         cfc3547b50f3f9fec366ba5a1e51cd1f   06 October 2020 12:36:40           
JA3-Fingerprint                    439aa6e57c66826b92337672937d505b   05 October 2020 16:51:40           
C2-Botnet                          39e118bd3884b3dc1df4ca3a03c05df1   05 October 2020 16:51:40           
SSL-BlackList                      1d9c969f25791b9ee8c8c0ab8449d849   05 October 2020 16:51:40           
ET-Open                            d53d92248a1f7cdc040d669a76cf27bc   06 October 2020 12:36:40    
CODE

update security ips content-provider rules

This command initiates a forced update of IPS/IDS rules distributed under a commercial license.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax
update security ips content-provider rules
Required privilege level

15

Command mode: update security ips content-provider rules

ROOT

Example
esr# update security ips content-provider rules
CODE

update security ips content-provider rules-info

This command initiates a forced request for information about categories of IPS/IDS rules available under the current commercial license.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax
update security ips content-provider rules-info
Required privilege level

15

Command mode

ROOT

Example
esr# update security ips content-provider rules-info
CODE

update security ips user-server rules

This command initiates a forced update of IPS/IDS rules from the user update server.

The actual start of the rule updating procedure occurs with some delay after the command is entered. The maximum delay is 5 minutes.

Syntax
update security ips user-server rules <WORD>
Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

15

Command mode

ROOT

Example
esr# update security ips user-server rules ET-Open
CODE

IPS/IDS policy configuration

category

This command specifies the category of IPS/IDS rules of a particular vendor, distributed under a commercial license, and enters the configuration mode for that category

The use of a negative form (no) of the command removes the configured category from the IPS/IDS service settings.

Syntax
category <CATEGORY>
no category { <CATEGORY> | all }
Parameters

<CATEGORY> – rule category. 

You can see the list of available categories in the context tooltip or with a command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-VENDOR

Example
esr(config-ips-vendor)# category MobileBotnetCAndCDF
CODE

external network-group

This command sets the IP address profile, which the IPS/IDS service will consider unreliable.

The IP address profile must be pre-created.

The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.

Syntax
external network-group <OBJ-GROUP-NETWORK-NAME>
no external network-group
Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example
esr(config-ips-policy)# external network-group WAN
CODE

protect network-group

This command sets the IP address profile that the IPS/IDS service will protect.

The IP address profile must be pre-created.

The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.

Syntax
protect network-group <OBJ-GROUP-NETWORK-NAME>
no protect network-group
Parameters

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example
esr(config-ips-policy)# protect network-group LAN
CODE

rules action

The command specifies the action that should be applied for the traffic meeting rules of this category.

The use of a negative form (no) of the command removes an assigned action.

The command applies only to rules distributed under a commercial license.

Syntax
rules action { alert | reject | pass | drop }
no rules action
Parameters:
  • alert – traffic is allowed and the IPS/IDS service generates a message;
  • reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
  • pass – traffic transfer is permitted;
  • drop – traffic is prohibited and the IPS/IDS service generates a message.
Required privilege level

15

Command mode

CONFIG-IPS-VENDOR-CATEGORY

Example
esr(config-ips-vendor-category)# rules action drop
CODE

rules count

This command specifies the effective number of rules of a given category that the IPS/IDS system will operate with

The use of a negative form (no) of the command removes an assigned action.

The command applies only to rules distributed under a commercial license.

Syntax
rules count <COUNT>
no rules count
Parameters:

<COUNT> – number of rules. The minimum value is 1, the maximum value depends on the category of rules.

The maximum number of rules by category can be seen in the context hint or with the command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-VENDOR-CATEGORY

Example
esr(config-ips-vendor-category)# rules count 8000
CODE

security ips policy

This command creates an IPS/IDS service settings policy with a specific name and switches to the policy configuration mode.

The use of a negative form (no) of the command removes the configured policy of the IPS/IDS service settings.

Syntax
[no] security ips policy <POLICY_NAME>
Parameters

<POLICY_NAME> – IPS/IDS service policy name, specified by a string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example
esr(config)# security ips policy OFFICE
CODE

vendor

This command identifies the vendor of IPS/IDS rules distributed under a commercial license and enters the configuration mode for that vendor.

The use of a negative form (no) of the command removes the configured vendor from the IPS/IDS service settings.

Syntax
vendor <VENDOR>
no vendor <CATEGORY>
Parameters

<VENDOR> – rule vendor. 

You can see the list of available vendors in the context tooltip or with a command:

show security ips content-provider rules-info

Required privilege level

15

Command mode

CONFIG-IPS-POLICY

Example
esr(config-ips-policy)# vendor kaspersky
CODE

IPS configuration

logging ips severity

This command sets the message severity level for logging IPS/IDS events.
The use of a negative form (no) of the command sets the default value.

Syntax
logging ips severity <SEVERITY>
no logging ips severity
Parameters

<SEVERITY> – message importance level, takes values (in order of decreasing importance):

  • emerg – critical error has occurred in the system, the system is not operational;
  • alert – alarms, immediate intervention by staff;
  • crit – critical system status, event reporting;
  • error – error messages;
  • warning – warnings, non-emergency messages;
  • notice – messages about important system events;
  • info – system information messages;
  • debug – debugging messages provide the user with information to correctly configure the system;
  • none – disables the output of syslog messages to the console. 
Default value

info

Required privilege level

15

Command mode

CONFIG

Example
esr(config)# logging ips severity error
CODE

logging storage-path

This command sets the name and path of the directory on the external drive to which the log files of the IPS/IDS service in the EVE format (elasticsearch) will be written.

The use of a negative form (no) of the command stops recording log files.

Syntax
logging storage-path <PATH>
no logging storage-path
Parameters

<PATH> – the name and path of the directory on the external drive in format of:

usb://usb_name:/[FILE]/
mmc://mmc_name:/[FILE]/

Required privilege level

15

Command mode

CONFIG-IPS

Example
esr(config-ips)# logging storage-path usb://DATA/Log/
CODE

security ips

This command creates an IPS/IDS service profile and switch to its configuration mode.

Syntax
security ips
Required privilege level

15

Command mode

CONFIG

Example
esr(config)# security ips
CODE

performance max

This command allows the IPS/IDS service to use all of the device’s resources for maximum performance. It is recommended to use when the device is used exclusively as IPS/IDS. It is not recommended to use when, in addition to IPS/IDS, the device performs other functions (routing, BRAS, etc.).

The use of a negative form (no) of the command frees up part of the device’s resources for use by other services.

Syntax
[no] performance max
Required privilege level

15

Command mode

CONFIG-IPS

Example
esr(config-ips)# perfomance max
CODE

policy

This command assigns the previously created IPS/IDS service settings policy.

The use of a negative form (no) of the command removes the assigned policy of the IPS/IDS service settings.

Syntax
policy <POLICY_NAME>
no policy
Parameters

<POLICY_NAME> – IPS service policy name, specified by a string of up to 32 characters.

Required privilege level

15

Command mode

CONFIG-IPS

Example
esr(config-ips)# policy OFFICE
CODE

service-ips enable

This command is used to enable the IPS/IDS service on the network interface.

The use of a negative form (no) of the command disables the IPS/IDS service on the network interface.

Syntax
[no] service-ips enable
Required privilege level

15

Command mode

CONFIG-GI

CONFIG-TE

CONFIG-SUBIF

CONFIG-QINQ-IF

CONFIG-PORT-CHANNEL

CONFIG-BRIDGE

Example
esr(config-if-gi)# service-ips enable
CODE

Configuring auto-updating of IPS/IDS rules distributed under a commercial license

content-provider

This command switches to the configuration mode of the source of rule updates distributed under a commercial license.

Syntax
content-provider
Required privilege level

15

Command mode

CONFIG

Example
esr(config)# content-provider
CODE

host address

This command specifies the address of the server for rule updates distributed under a commercial license.

Syntax
host address { <ADDR> | <IPV6-ADDR> | <HOSTNAME> }
Parameters

<ADDR> – device IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – device IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<HOSTNAME> – user DNS name, set by the string of up to 255 characters;

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example
esr(config-content-provider)# host address edm.eltex-co.ru
CODE

host port

This command specifies the TCP port number of the server for rule updates distributed under a commercial license.

Syntax
host port <PORT> 
Parameters

<PORT> – TCP port number, may take values [1..65535];

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example
esr(config-content-provider)# host port 8098
CODE

reboot

This command sets the time to reboot the device when the system license is received. The device reboots the first time it connects to a commercially licensed rule update server.

If you have an already operating IPS/IDS license, there is no reboot.

Syntax
reboot { immediately | time <TIME> } 
Parameters

immediately – reboot immediately after receiving a license;

time <TIME> – restart at a specified time <TIME>;

<TIME> – reboot time in format of HH:MM:SS.

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example
esr(config-content-provider)# reboot time 05:00:00
CODE

storage-device

This command specifies the name of the external drive on which encrypted IPS/IDS rules distributed under a commercial license will be stored.

The use of a negative form (no) of the command stops rule saving.

Syntax
storage-device <PATH>
no storage-device
Parameters

<PATH> – name of external drive in format of:

usb://usb_name:/
mmc://mmc_name:/


Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example
esr(config-content-provider)# storage-device usb://DATA
CODE

upgrade interval

The command specifies the frequency with which the device will check for updates of IPS/IDS rules distributed under a commercial license.

The use of a negative form (no) of the command sets the default value.

Syntax
upgrade interval <HOURS>
no upgrade interval
Parameters

<HOURS> – update interval in hours, from 1 to 240.

Default value

24

Required privilege level

15

Command mode

CONFIG-CONTENT-PROVIDER

Example
esr(config-content-provider)# upgrade interval 36
CODE

Configuration of IPS/IDS rules autoupdate from external sources

auto-upgrade

This command switches to the configuration mode of the sources of rule updates for the service.

Syntax
auto-upgrade
Required privilege level

15

Command mode

CONFIG-IPS

Example
esr(config-ips)# auto-upgrade
CODE

upgrade interval

This command sets the frequency with which the device will check for the updates for IPS/IDS rules and/or IPS/IDS classifier file for this url.

The use of a negative form (no) of the command sets the default value.

Syntax
upgrade interval <HOURS>
no upgrade interval
Parameters

<HOURS> – update interval in hours, from 1 to 240.

Default value

24

Required privilege level

15

Command mode

CONFIG-IPS-UPGRADE-USER-SERVER

Example
esr(config-ips-upgrade-user-server)# upgrade interval 36
CODE

url

The command specifies URL link.

The use of a negative form (no) of the command removes the link from the IPS/IDS rule update source configuration.

Syntax
url <URL>
no url
Parameters

<URL> – text field containing URL link of 8-255 characters length.

As an URL-links can be specified:

  • rule file with the .rule extension.
  • rule classifier file named classification.config
  • directory on the server containing rule files and/or rule classifier file.
Required privilege level

15

Command mode

CONFIG-IPS-UPGRADE-USER-SERVER

Example
esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/rules/
CODE

user-server

This command sets the name of the user IPS/IDS rule update server and switches to the configuration mode of the user update server settings.

The use of a negative form (no) of the command removes the user IPS/IDS rule update server and all the rules received from this server.

Syntax
user-server <WORD>
no user-server { <WORD> | all }
Parameters

<WORD> – server name, specified by the string from 1 to 64 characters long.

Required privilege level

15

Command mode

CONFIG-IPS-AUTO-UPGRADE

Example
esr(config-ips-auto-upgrade)# user-server ET-Open
CODE

User IPS/IDS rules configuration

action

The command specifies the action that should be applied for the traffic meeting this requirements.

The use of a negative form (no) of the command removes an assigned action.

Syntax
action { alert | reject | pass | drop }
no action
Parameters:
  • alert – traffic is allowed and the IPS/IDS service generates a message;
  • reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
  • pass – traffic transfer is permitted;
  • drop – traffic is prohibited and the IPS/IDS service generates a message.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# action reject
CODE

destination-address

The command sets destination IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
destination-address { ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no destination-address
Parameters

<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

<OBJ_GR_NAME> – name of IP addresses profile that contains destination IP address, set by the string of up to 31 characters;

destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as destination addresses;

destination-address policy-object-group external – sets external addresses defined in IPS/IDS policy as destination addresses;

When specifying the 'any' value, the rule will be triggered for any source IP address.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# destination-address ip 10.10.10.1
CODE

destination-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command removes the assignment.

Syntax
destination-port { any | <PORT> | object-group <OBJ-GR-NAME> }
no destination-port
Parameters

<PORT> – number of destination TCP/UDP port, takes values of [1..65535];

<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# destination-port 22
CODE

direction

This command sets traffic direction for which the rule should be triggered.

The use of a negative form (no) of the command removes the assignment.

Syntax
direction { one-way | round-trip }
no direction
Parameters
  • one-way – traffic is transmitted in one direction;
  • round-trip – traffic is transmitted in both directions.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# direction one-way
CODE

ip dscp

This command sets the value of the DSCP code, the traffic of which will be processed in this rule.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip dscp <DSCP>
[no] ip dscp
Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip dscp 8
CODE

ip ftp command

This command sets the FTP keyword values for which the rule should be triggered.

This command is applicable only for protocol ftp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip ftp command <COMMAND>
[no] ip ftp command
Parameters

<COMMAND> – can take the following values:

  • <retr> – download file;
  • <stor> – upload file;
  • <mkd> – create directory;
  • <rmd> – remove directory;
  • <appe> – add to the end of the file (with creation);
  • <allo> – allocate space on disk;
  • <dele> – delete file.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# protocol ftp
esr(config-ips-category-rule)# ip ftp command allo
CODE

ip ftp-data command

This command sets the FTP-DATA keyword values for which the rule should be triggered.

This command is applicable only for protocol ftp-data value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip ftp-data command <COMMAND>
[no] ip ftp-data command
Parameters

<COMMAND> – can take the following values:

  • <retr> – download file;
  • <stor> – upload file;
  • <appe> – add to the end of the file (with creation).
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# protocol ftp-data
esr(config-ips-category-rule)# ip ftp-data command stor
CODE

ip http

This command sets the HTTP keyword values for which the rule should be triggered.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip http <COMMAND>
[no] ip http
Parameters

<COMMAND> – can take the following values:

  • accept;
  • accept-enc;
  • accept-lang;
  • client-body;
  • connection;
  • content-len;
  • content-type;
  • cookie;
  • file-data;
  • header;
  • header-names;
  • host;
  • protocol;
  • referer;
  • request-line;
  • response-line;
  • server-body;
  • start;
  • stat-code;
  • stat-msg;
  • uri;
  • urilen <VALUE>;
  • urilen comparison-operator { greater-than | less-than};
  • user-agent.

The values and application of the HTTP keywords are detailed described in the SNORT 2.X/Suricata 4.X documentation.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload content «HTTP/1.0»
esr(config-ips-category-rule)# ip http protocol
CODE

ip http content-filter

This command is used to assign a content filtering category profile. The current rule will be triggered for http sites that belong to the categories set in this profile.

The content filtering profile must be pre-created.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip http content-filter <NAME>
[no] ip http content-filter
Parameters

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

any – rule will trigger for http sites of any category.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip http content-filter Black-List
CODE

ip http method

This command sets the values of the http access method for which the rule should be triggered.

This command is applicable only for protocol http value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip http method <COMMAND>
[no] ip http method
Parameters

<COMMAND> – can take the following values:

  • <GET> – requests a resource submission. Requests using this method can only retrieve data;
  • <HEAD> – requests the resource in the same way as the GET method, but without the response body;
  • <POST> – is used to send subjects to a specific resource;
  • <PUT> – replaces all current resource views with request data;
  • <DELETE> – deletes the specified resource;
  • <CONNECT> – establishes a «tunnel» to the server defined by the resource;
  • <OPTIONS> – used to describe the parameters of the connection to the resource;
  • <TRACE> – performs a call of the returned test message from the resource;
  • <PATCH> – used to partially modify the resource.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip http method get
CODE

ip icmp code

This command sets the ICMP CODE value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip icmp code <CODE>
[no] ip icmp code
Parameters

<CODE> – ICMP CODE value, takes a value in the range [0..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp code 5
CODE

ip icmp code comparison-operator

Comparison operator for ip icmp code command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax
ip icmp code comparison-operator { greater-than | less-than }
[no] ip icmp code comparison-operator
Parameters
  • greater-than – greater than;
  • less-than – less than.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp code 5
esr(config-ips-category-rule)# ip icmp code comparison-operator less-than
CODE

ip icmp id

This command sets the ICMP ID value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip icmp id <ID>
[no] ip icmp id
Parameters

<ID> – ICMP ID value, takes a value in the range [0..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp id 65000
CODE

ip icmp sequence-id

This command sets the ICMP sequence-ID value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip icmp sequence-id <SEQ-ID>
[no] ip icmp sequence-id
Parameters

<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp sequence-id 8388608
CODE

 ip icmp type

This command sets the ICMP TYPE value at which the rule will be triggered.

This command is applicable only for protocol icmp value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip icmp type <TYPE>
[no] ip icmp type
Parameters

<TYPE> – ICMP TYPE value, takes a value in the range [0..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp type 12
CODE

ip icmp type comparison-operator

Comparison operator for ip icmp type command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax
ip icmp type comparison-operator { greater-than | less-than }
[no] ip icmp type comparison-operator
Parameters
  • greater-than – greater than;
  • less-than – less than.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip icmp type 14
esr(config-ips-category-rule)# ip icmp code comparison-operator greater-than
CODE

ip protocol-id

This command sets the IP identification number, the traffic of which will be processed in this rule.

This command is applicable only for protocol any value.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip protocol-id <ID>
[no] ip protocol-id
Parameters

<ID> – IP identification number [1..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip protocol-id 250
CODE

ip tcp acknowledgment-number

This command sets the TCP Acknowledgment-Number at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip tcp acknowledgment-number <ACK-NUM>
[no] ip tcp acknowledgment-number
Parameters

<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip tcp acknowledgment-number 32
CODE

ip tcp sequence-id

This command sets the TCP Sequence-ID value at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip tcp sequence-id <SEQ-ID>
[no] ip tcp sequence-id
Parameters

<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip tcp sequence-id 2542
CODE

ip tcp window-size

This command sets the TCP Window Size at which the rule will be triggered.

This command is applicable only for protocol tcp value

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip tcp window-size <SIZE>
[no] ip tcp window-size
Parameters

<SIZE> – TCP Window-Size value, takes a value in the range [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip tcp window-size 50
CODE

ip ttl

This command sets the value of the IP packet lifetime, the traffic of which will be processed in this rule.

The use of a negative form (no) of the command cancels the assignment.

Syntax
ip ttl <TTL>
[no] ip ttl
Parameters

<TTL> – IP packet life time, takes value in the range of [1..255].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip ttl 8
CODE

ip ttl comparison-operator

Comparison operator for ip ttl command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax
ip ttl comparison-operator { greater-than | less-than }
[no] ip ttl comparison-operator
Parameters
  • greater-than – greater than;
  • less-than – less than.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# ip ttl 5
esr(config-ips-category-rule)# ip ttl comparison-operator less-than
CODE

meta classification-type

This command defines the classification of the event that the IPS/IDS service will generate when the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax
meta classification-type { not-suspicious | unknown | bad-unknown | attempted-recon | successful-recon-limited | successful-recon-largescale | attempted-dos | successful-dos | attempted-user | unsuccessful-user | successful-user | attempted-admin | successful-admin | rpc-portmap-decode | shellcode-detect | string-detect | suspicious-filename-detect | suspicious-login | system-call-detect | tcp-connection | trojan-activity | unusual-client-port-connection | network-scan | denial-of-service | non-standard-protocol | protocol-command-decode | web-application-activity | web-application-attack | misc-activity | misc-attack | icmp-event | inappropriate-content | policy-violation | default-login-attempt }
[no] meta classification-type
Parameters
  • not-suspicious – not suspicious traffic;
  • unknown – unknown traffic;
  • bad-unknown – potentially bad traffic;
  • attempted-recon – information leak attempt;
  • successful-recon-limited – information leak;
  • successful-recon-largescale – large-scale information leak;
  • attempted-dos – denial of service attempt;
  • successful-dos – denial of service;
  • attempted-user – attempt to obtain user privileges;
  • unsuccessful-user – unsuccessful attempt to obtain user privileges;
  • successful-user – successful attempt to obtain user privileges;
  • successful-admin – successful attempt to obtain admin privileges;
  • successful-admin – successful attempt to obtain admin privileges;
  • rpc-portmap-decode – RPC request decoding;
  • shellcode-detect – executable code detected;
  • string-detect – suspicious string detected;
  • suspicious-filename-detect – suspicious filename was detected;
  • suspicious-login – attempt to log in using a suspicious username was deteceted;
  • system-call-detect – system call was detected;
  • tcp-connection – TCP connection was detected;
  • trojan-activity – network Trojan was detected;
  • unusual-client-port-connection – the client used an unusual port;
  • network-scan – network scan was detected;
  • denial-of-service – denial of service attack was detected;
  • non-standard-protocol – custom protocol or event was detected;
  • protocol-command-decode – encryption attempt was detected;
  • web-application-activity – access to a potentially vulnerable web application;
  • web-application-attack – attack on web application;
  • misc-activity – other activity;
  • misc-attack – other attacks;
  • icmp-event – general ICMP event;
  • inappropriate-content – inappropriate content was detected;
  • policy-violation – potential breach of corporate privacy;
  • default-login-attempt – login attempt using a standard login/password.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# meta classification-type misc-attack
CODE

meta log-message

This command defines the text message that the IPS/IDS service will generate when the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax
meta log-message <MESSAGE>
[no] mera log-message
Parameters

<MESSAGE> –  text message, specified by a string of up to 128 characters.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# meta log-message «Possible SlowLorys attack»
CODE

payload content

This command specifies the contents of IP packets, if matched, the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax
payload content <CONTENT>
[no] payload content <CONTENT>
Parameters

<CONTENT> – text message, specified by a string of up to 1024 characters.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload content «virus»
CODE

payload data-size

This command sets the packet content size at which the rule will be triggered.

The use of a negative form (no) of the command cancels the assignment.

Syntax
payload data-size <SIZE>
[no] payload data-size
Parameters

<SIZE> – packet content size, takes values in the range of [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload data-size 1024
CODE

payload data-size comparison-operator

Comparison operator for ip icmp type command. Applicable only in conjunction with this command.

The use of a negative form (no) of the command cancels the comparison.

Syntax
payload data-size comparison-operator { greater-than | less-than }
[no] payload data-size comparison-operator
Parameters
  • greater-than – greater than;
  • less-than – less than.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload data-size 1024
esr(config-ips-category-rule)# payload data-size comparison-operator less-than
CODE

payload depth

This command indicates how many bytes from the beginning of the packet contents will be checked by this rule. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload offset command.

The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.

Syntax
payload depth <DEPTH>
[no] payload content depth
Parameters

<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 3
CODE

Packets with the contents of 'abcdef', 'abc123', 'abcabcabc', etc., will fall under the rule.

payload no-case

This command points not to distinguish uppercase and lowercase letters in the description of package contents. This command is used in conjunction with the payload content command only.

The use of a negative form (no) of the command cancels the assignment.

Syntax
payload no-case
[no] payload content no-case
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload content «virus»
esr(config-ips-category-rule)# payload no-case
CODE

Packets with the contents of 'virus', 'VIRUS', 'ViRuS', etc., will fall under the rule.

payload offset

This command specifies the number of offset bytes from the beginning of the contents of the packet from which the check will begin. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload depth command.

The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.

Syntax
payload offset <OFFSET>
[no] payload content offset
Parameters

<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# payload content «abc»
esr(config-ips-category-rule)# payload depth 6
esr(config-ips-category-rule)# payload offset 3
CODE

Packets with the contents of '123abcdef', 'defabc', 'abcabcabc', etc., will fall under the rule.

protocol

The command sets name of IP for which the rule should work. The use of a negative form (no) of the command cancels the assignment.

Syntax
protocol { any | ip | icmp | http | tcp | udp }
[no] protocol
Parameters
  • any – the rule will be triggered for any protocols;
  • ip – the rule will be triggered for ip. You can configure additional filtering in the rule with the ip protocol-id command;
  • icmp – the rule will be triggered for icmp. When this option is selected, the values of source-port and destination-port must be any. You can configure additional filtering in the rule with the ip icmp commands;
  • http – the rule will be triggered for http. You can configure additional filtering in the rule with the ip http commands;
  • tсp – the rule will be triggered for tсp. You can configure additional filtering in the rule with the ip tcp commands;
  • udp – the rule will be triggered for udp. You can configure additional filtering in the rule with the ip udp commands;
  • ftp – the rule will be triggered for ftp; You can configure additional filtering in the rule with the ip ftp commands;
  • ftp-data – the rule will be triggered for ftp data field; You can configure additional filtering in the rule with the ip ftp-data commands;
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# protocol udp
CODE

rule

The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE configuration mode. The rules are proceeded by the device in number ascending order.

The use of a negative form (no) of the command removes a specified rule.

Syntax
[no] rule <ORDER>
Parameters

<ORDER>  – rule number, takes values of [1..512].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY

Example
esr(config-ips-category)# rule 10
esr(config-ips-category-rule)#
CODE

security ips-category user-defined

This command creates a set of IPS/IDS service user rules with a specific name and switches to the configuration mode of this set.

The use of a negative form (no) of the command removes the configured policy of the IPS service settings.

Syntax
[no] security ips-category user-defined <CATEGORY_NAME>
Parameters

<CATEGORY_NAME> – name of the set of IPS/IDS service user rules, specified by a string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example
esr(config)# security ips-category user-defined PROTOCOL
esr(config-ips-category)#
CODE

source-address

The command sets source IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
source-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no source-address
Parameters

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.

destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as source addresses

destination-address policy-object-group external –sets external addresses defined in IPS/IDS policy as source addresses

When specifying the 'any' value, the rule will be triggered for any source IP address.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# source-address ip-prefix 192.168.0.0/16
CODE

source-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command removes the assignment.

Syntax
source-port { any | <PORT> | object-group <OBJ-GR-NAME> }
no source-port
Parameters

<PORT> – number of source TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# source-port 22
CODE

threshold count

This command specifies the threshold number of packets at which the rule will be triggered.

The use of a negative form (no) of the command removes the assignment.

Syntax
threshold count <COUNT>
[no] threshold count 
Parameters

<COUNT> – number of packets, takes values in the range of [1..65535]

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# threshold count 1024
CODE

threshold second

This command sets the time interval for which the threshold value is considered. packets at which the rule will be triggered. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax
threshold second <SECOND>
[no] threshold second
Parameters

<SECOND> – time interval in seconds, takes values in the range of [1..65535].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# threshold second 1
CODE

threshold track

This command sets that packets for which threshold values are set will be considered at the address of the sender or recipient. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax
threshold track { by-src | by-dst }
[no] threshold track
Parameters
  • by-src – read threshold value for packets with the same IP sender;
  • by-dst – read threshold value for packets with the same IP recipient.
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# threshold track by-src
CODE

threshold type

This command sets the threshold processing method. This command is used in conjunction with the threshold count command only.

The use of a negative form (no) of the command removes the assignment.

Syntax
threshold type { treshhold | limit | both }
[no] threshold type
Parameters
  • threshold – display a message every time a threshold is reached;
  • limit – issue a message no more than <COUNT> times per time interval <SECOND>;
  • both – threshold and limit combination. A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the time interval;
Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE

Example
esr(config-ips-category-rule)# threshold count 1024
esr(config-ips-category-rule)# threshold second 1
esr(config-ips-category-rule)# threshold track by-src
esr(config-ips-category-rule)# threshold type treshold
CODE

A message will be generated for every X*1025 packet arriving in 1 second from one IP address.

Extended user rules configuration

rule-advanced

The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE-ADVANCED configuration mode. The rules are proceeded by the device in number ascending order.

The use of a negative form (no) of the command removes a specified rule.

Syntax
[no] rule-advanced <ORDER>
Parameters

<ORDER> – rule number, takes values of [1..4294967295].

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE-ADVANCED

Example
esr(config-ips-category)# rule-advanced 10
esr(config-ips-category-rule-advanced)#
CODE

rule-text

This command describes the traffic processing rule in SNORT 2.X/Suricata 4.X format

The use of a negative form (no) of the command cancels the assignment.

Syntax
rule-text <LINE>
[no] rule-text
Parameters

<LINE> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters.

When writing rules, the symbol '' needs to be replaced with the symbol '.

Required privilege level

15

Command mode

CONFIG-IPS-CATEGORY-RULE-ADVANCED

Example
esr(config-ips-category-rule-advanced)# rule-text «alert tcp any any -> $HOME_NET any (msg: 'ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet'; flow: established, to_server; content:'_auth'; depth: 20; fast_pattern; content: !'|02 00 00 00|'; within: 4; content: '_ctrl'; content: '_ser'; content: '_tim'; content: '_exp'; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000005; rev: 3; )»
CODE