Security management. Firmware version 1.13.0

1

Set local as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

2

Set enable as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ]
[ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

3

Set the method for iterating over authentication methods (optional).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

4

Specify the number of failed authentication attempts to block the user login and time of the lock (optional)

esr(config)# aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:
<COUNT> – 5; <TIME> – 300

5

Enable request for change the default password for the ‘admin’ user (optional)

esr(config)# security passwords default-expired

6

Enable the inhibit mode on the use of previously set local user passwords (optional)

esr(config)# security passwords history <COUNT>

<COUNT> – number of passwords saved in the router memory. Takes values in the range of [1..15].

Default value: 0

7

Set the lifetime of local user password (optional)

esr(config)# security passwords lifetime <TIME>

<TIME> – password lifetime in days. Takes values in the range of [1..365].

Default: The lifetime of local user password is unlimited.

8

Set a limit on the minimum length of local user password and ENABLE password (optional)

esr(config)# security passwords min-length <NUM>

<NUM> – minimum number of characters in the password. Takes values in the range of [8..128].

Default value: 0

9

Set a limit on the maximum length of local user password and ENABLE password (optional)

esr(config)# security passwords max-length <NUM>

<NUM> – maximum number of characters in the password. Takes values in the range of [8..128].

Default value: no limit.

10

Set the minimum number of character types that must be present in the local user password and ENABLE password (optional)

esr(config)# security passwords symbol-types <COUNT>

<COUNT> – minimum number of character types in the password. Takes values in the range of [1..4].

Default value: 1

11

Set the minimum number of lower case letters in the local user password and ENABLE password (optional)

esr(config)# security passwords lower-case <COUNT>

<COUNT> – minimum number of lower case letters in the local user password and ENABLE password. Takes values in the range of [0..128].

Default value: 0

12

Set the minimum number of upper case letters in the local user password and ENABLE password (optional)

esr(config)# security passwords upper-case <COUNT>

<COUNT> – minimum number of upper case letters in the password. Takes values in the range of [0..128].

Default value: 0

13

Set the minimum number of digits in the local user password and ENABLE password (optional)

esr(config)# security passwords numeric-count <COUNT>

<COUNT> – minimum number of digits in the password. Takes values in the range of [0..128].

Default value: 0

14

Set the minimum number of special characters in the local user password and ENABLE password (optional)

esr(config)# security passwords special-case <COUNT>

<COUNT> – minimum number of special characters in the password. Takes values in the range of [0..128].

Default value: 0

15

Add user in the local database and switch to the user parameters configuration mode

esr(config)# username <NAME>

<NAME> – user name, set by the string of up to 31 characters.

16

Set user password

esr(config-user)# password { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters.

17

Set user privileges level

esr(config-user)# privilege <PRIV>

<PRIV> – required privilege level. Takes values in the range of [1..15].

18

Switch to the corresponding terminal configuration mode

esr(config)# line console

or

esr(config)# line telnet

or

esr(config)# line ssh

19

Activate user login authentication list

esr(config-line-ssh)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters.

20

Activate authentication list of user privileges elevation

esr(config-line-ssh)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters.

21

Set the interval after which the idle session will be terminated

esr(config-line-ssh)# exec-timeout <SEC>

<SEC> – time interval in minutes, takes values of [1..65535].

1

Set the DSCP code global value for the use in IP headers of RADIUS server egress packets (optional).

esr(config)# radius-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global number of iterative queries to the last active RADIUS server (optional).

esr(config)# radius-server retransmit <COUNT>

<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].

Default value: 1.

3

Set the global value of the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config)# radius-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

4

Add RADIUS server to the list of used servers and switch to its configuration mode.

esr(config)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
esr(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of  [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

5

Specify the number of failed authentication attempts to block the user login and time of the lock (optional).

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in seconds, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

6

Set the password for authentication on remote RADIUS server.

esr(config-radius-server)# key ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

7

Prioritize the use of a remote RADIUS server (optional).

esr(config-radius-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config-radius-server)# timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: global timer value is used.

9

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted RADIUS packets.

esr(config-radius-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

10

Set radius as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

11

Set radius as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

12

Set the method for iterating over authentication methods (optional).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

13

Configure radius in the list of user session accounting methods (optional).

esr(config)# aaa accounting login start-stop <METHOD 1>
[ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

14

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

15

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

16

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 9.

1

Set the DSCP code global value for the use in IP headers of TACACS server egress packets (optional).

esr(config)# tacacs-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global value of the interval after which the router assumes that the TACACS server is not available (optional).

esr(config)# tacacs-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Add TACACS server to the list of used servers and switch to its configuration mode.

esr(config)# tacacs -server host
{ <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

esr(config-tacacs-server)#

<IP-ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

4

Specify the number of failed authentication attempts to block the user login and time of the lock (optional)

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

5

Set the password for authentication on remote TACACS server.

esr(config-tacacs-server)# key ascii-text  { <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

6

Set the port number to communicate with remote TACACS server (optional).

esr(config-tacacs-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 49 for TACACS server.

7

Prioritize the use of a remote TACACS server (optional).

esr(config-tacacs-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted TACACS packets.

esr(config-tacacs-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

9

Set TACACS as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

10

Set the method for iterating over authentication methods (optional).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

11

Configure the list of CLI commands accounting methods (optional).

esr(config)# aaa accounting commands stop-only tacacs

12

Configure tacacs in the list of user session accounting methods (optional).

esr(config)# aaa accounting login start-stop <METHOD 1>
[ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

13

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

14

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 7.

15

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

1

Specify basic DN (Distinguished name) which will be used when searching for users.

esr(config)# ldap-server base-dn <NAME>

<NAME> – basic DN, set by the string of up to 255 characters.

2

Set the interval after which the router assumes that the LDAP server is not available (optional).

esr(config)# ldap-server bind timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Specify the DN (Distinguished name) of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-dn <NAME>

<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.

4

Specify the password of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-password ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

5

Specify a class name of the objects among which it is necessary to search for users on LDAP server (optional).

esr(config)# ldap-server search filter user-object-class <NAME>

<NAME> – object class name, set by the string of up to 127 characters.

Default value: posixAccount.

6

Specify the user search scope in LDAP server tree (optional).

esr(config)# ldap-server search scope <SCOPE>

<SCOPE> – user search scope on LDAP server, takes the following values:

• onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;
• subtree – search through all objects of basic DN subtree in LDAP server tree.

Default value: subtree.

7

Specify the interval after which the device assumes that LDAP server has not found users entries satisfying the search condition (optional).

esr(config)# ldap-server search timeout <SEC>

<SEC> – time interval in seconds, takes values of [0..30]

Default value: 0 – device is waiting for search completion and response from LDAP server.

8

Specify an attribute name of the object which is compared with the name of the desired user on LDAP server (optional).

esr(config)# ldap-server naming-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: uid.

9

Specify the object attribute name which is compared with the name of a desired user on LDAP server (optional).

esr(config)# ldap-server privilege-level-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: priv-lvl

10

Set the DSCP code global value for the use in IP headers of LDAP server egress packets (optional).

esr(config)# ldap-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63

11

Add LDAP server to the list of used servers and switch to its configuration mode.

esr(config)# ldap -server host { <IP-ADDR> | <IPV6-ADDR> }
[ vrf <VRF> ]

esr(config-ldap-server)#

<IP-ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – LDAP server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

12

Specify the number of failed authentication attempts to block the user login and time of the lock (optional)

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

13

Set the port number to communicate with remote LDAP server (optional).

esr(config-ldap-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 389 for LDAP server.

14

Prioritize the use of a remote LDAP server (optional).

esr(config-ldap-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

15

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted LDAP packets.

esr(config-ldap-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

16

Set LDAP as authentication method.

esr(config)# aaa authentication login { default | <NAME> }
<METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

17

Set LDAP as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME>
<METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

18

Set the method for iterating over authentication methods.

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

19

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

20

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 14.

21

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 15.

1

Enable protection against ICMP flood attacks.

esr(config)# ip firewall screen dos-defense
icmp-threshold { <NUM> }

<NUM> – amount of ICMP packets per second, set in the range of [1..10000]

2

Enable protection against land attacks.

esr(config)# firewall screen dos-defense land

3

Enable a limit on the number of packets sent per second per destination address

esr(config)# ip firewall screen dos-defense
limit-session-destination { <NUM> }

<NUM> – limit number of IP
packets per second, set in the range of [1..10000].

4

Enable a limit on the number of packets sent per second per source address

esr(config)# ip firewall screen dos-defense
limit-session-source { <NUM> }

<NUM> – limit number of IP

Packets per second, set in the range of [1..10000].

5

Enable protection against SYN flood attacks.

esr(config)# ip firewall screen dos-defense
syn-flood { <NUM> } [src-dsr]

<NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000].

src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses.

6

Enable protection against UDP flood attacks.

esr(config)# ip firewall screen dos-defense
udp-threshold { <NUM> }

<NUM> – maximum amount of UDP packets per second, set in the range of [1..10000].

7

.Enable protection against winnuke attacks.

esr(config)# ip firewall screen dos-defense winnuke

8

Enable the blocking of TCP packets with the FIN flag set and the ACK flag not set.

esr(config)# ip firewall screen spy-blocking fin-no-ack

9

Enable the blocking of various type ICMP packets.

esr(config)# ip firewall screen spy-blocking icmp-type

<TYPE> – ICMP type, may take the following values:

• destination-unreachable
• echo-request
• reserved
• source-quench
• time-exceeded

10

Enable the protection against IP sweep attacks.

esr(config)# ip firewall screen spy-blocking ip-sweep { <NUM> }

<NUM> – ip sweep attack detection time, set in milliseconds [1..1000000].

11

Enable protection against port scan attacks.

esr(config)# ip firewall screen spy-blocking port-scan
{ <threshold> } [ <TIME> ]

<threshold> – interval in milliseconds during which the port scan attack will be recorded [1..1000000].

<TIME> – blocking time in milliseconds [1..1000000].

12

Enable the protection against IP spoofing attacks.

esr(config)# ip firewall screen spy-blocking spoofing

13

Enable the blocking of TCP packets, with the SYN and FIN flags set.

esr(config)# ip firewall screen spy-blocking syn-fin

14

Enable the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The given command provides the protection against XMAS attack

esr(config)# ip firewall screen spy-blocking tcp-all-flag

15

Enable the blocking of TCP packets, with the zero “flags” field.

esr(config)# ip firewall screen spy-blocking tcp-no-flag

16

Enable the blocking of fragmented
ICMP packets.

esr(config)# ip firewall screen suspicious-packets icmp-fragment

17

Enable the blocking of fragmented IP packets.

esr(config)# ip firewall screen suspicious-packets ip-fragment

18

Enable the blocking of ICMP packets more than 1024 bytes.

esr(config)# ip firewall screen suspicious-packets icmp-fragment

19

Enable the blocking of fragmented TCP packets, with the SYN flag.

esr(config)# ip firewall screen suspicious-packets syn-fragment

20

Enable the blocking of fragmented UDP packets.

esr(config)# ip firewall screen suspicious-packets udp-fragment

21

Enable the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

esr(config)# ip firewall screen suspicious-packets unknown-protocols

22

Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks.

esr(config)# ip firewall logging interval <NUM>

<NUM> – time interval in seconds [30 .. 2147483647]

23

Enable more detailed message output about detected and blocked network attacks in the CLI.

esr(config)# logging firewall screen detailed

24

Enable mechanism of DoS attacks detection and logging via CLI, syslog and SNMP.

esr(config)# logging firewall screen dos-defense <ATACK_TYPE>

<ATACK_TYPE> – DoS attack type, takes the following values: icmp-threshold, land, limit-session-destination, limit-session-source, syn-flood, udp-threshold, winnuke.

25

Enable mechanism of espionage activity detection and logging via CLI, syslog and SNMP.

esr(config)# logging firewall screen spy-blocking
{ <ATACK_TYPE> | icmp-type <ICMP_TYPE> }

<ATACK_TYPE> – espionage activity type, takes the following values: fin-no-ack, ip-sweep, port-scan, spoofing, syn-fin, tcp-all-flag, tcp-no-flag.

<ICMP_TYPE> –  ICMP type, takes the following values: destination-unreachable, echo-request, reserved, source-quench, time-exceeded.

26

Enable mechanism of specialized packets detection and logging via CLI, syslog and SNMP.

esr(config)# logging firewall screen suspicious-packets <PACKET_TYPE>

<PACKET_TYPE> – non-standard packets type, takes the following values: icmp-fragment, ip-fragment, large-icmp, syn-fragment, udp-fragment, unknown-protocols.

ip firewall screen dos-defense icmp-threshold

This command enables the protection against ICMP flood attacks. When the protection is enabled, the amount of all types ICMP packets per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each query and respond to it.

firewall screen dos-defense land

This command enables the protection against land attacks. When the protection is enabled, the packets with the same source and destination IP addresses and with SYN flag in TCP header are blocked. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts of the host to establish a TCP session with itself.

ip firewall screen dos-defense limit-session-destination

When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per destination address, which attenuates DoS attacks.

ip firewall screen dos-defense limit-session-source

When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per source address, which attenuates DoS attacks.

ip firewall screen dos-defense syn-flood

This command enables the protection against SYN flood attacks. When the protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts to establish a TCP session.

ip firewall screen dos-defense udp-threshold

This command enables the protection against UDP flood attacks. When the protection is enabled, the amount of UDP packets per second for one destination address is limited. The attack lead to the host reboot and its failure due to the massive UDP traffic.

ip firewall screen dos-defense winnuke

This command enables the protection against winnuke attacks. When the protection is enabled,
TCP packets with the URG flag set and 139 destination port are blocked. The attack leads to the older Windows versions (up to 95 version) failure.

ip firewall screen spy-blocking fin-no-ack

The given command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set. These packets are specialized and it is possible to determine a victim operational system by the respond.

ip firewall screen spy-blocking icmp-type destination-unreachable

The given command enables the blocking of all 3 type ICMP packets (destination-unreachable) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability

ip firewall screen spy-blocking icmp-type echo-request

The given command enables the blocking of all 8 type ICMP packets (echo-request) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability

ip firewall screen spy-blocking icmp-type reserved

The given command enables the blocking of all 2 and 7 type ICMP packets (reserved) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability

ip firewall screen spy-blocking icmp-type source-quench

The given command enables the blocking of all 4 type ICMP packets (source quench) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability

ip firewall screen spy-blocking icmp-type time-exceeded

The given command enables the blocking of all 11 type ICMP packets (time exceeded) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability

ip firewall screen spy-blocking ip-sweep

This command enables the protection against IP-sweep attacks. When the protection is enabled, if more than 10 ICMP queries from one source arrive within the specified interval, the first 10 queries are dropped by the router and 11th with the following ones are discarded for the remaining interval time. The protection prevents an attacker from learning about network topology and hosts availability.

ip firewall screen spy-blocking port-scan

This command enables the protection against port scan attacks. If more than 10 TCP packets with the SYN flag arrive to several TCP ports and or more than 10 UDP packets arrive ti several UDP ports of one source within the first specified interval (<threshold>), then this behaviour is recorded as port scan attack and all the following packets of that type are blocked for the second specified time interval (<TIME>). An attacker will not be able to scan the device open ports quickly.

ip firewall screen spy-blocking spoofing

The given command enables the protection against ip spoofing attacks. When the protection is enabled, the router checks packets for matching the source address and routing table entries, and in case of mismatch the packet is dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in the routing table, it is considered that the source address has been replaced. Protects from network intrusions with replaced source IP addresses.

ip firewall screen spy-blocking syn-fin

The given command enables the blocking of TCP packets, with the SYN and FIN flags set. These packets are specialized and it is possible to determine a victim operational system by the respond.

ip firewall screen spy-blocking tcp-all-flag

This command enables the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.

ip firewall screen spy-blocking tcp-no-flag

This command enables the blocking of TCP packets with the zero 'flags' field. These packets are specialized and it is possible to determine a victim operational system by the respond.

ip firewall screen suspicious-packets icmp-fragment

The given command enables the blocking of fragmented ICMP packets. ICMP packets are usually small and there is no need to fragment them.

ip firewall screen suspicious-packets ip-fragment

The given command enables the blocking of fragmented packets.

ip firewall screen suspicious-packets large-icmp

The given command enables the blocking of ICMP packets more than 1024 bytes.

ip firewall screen suspicious-packets syn-fragment

This command enables the blocking of fragmented TCP packets with the SYN flag. TCP packets with the SYN flag are usually small and there is no need to fragment them. The protection prevents concentration of fragmented packets in a buffer.

ip firewall screen suspicious-packets udp-fragment

The given command enables the blocking of fragmented UDP packets.

ip firewall screen suspicious-packets unknown-protocols

The given command enables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

1

Create security zones.

esr(config)# security zone <zone-name1>

esr(config)# security zone <zone-name2>

<zone-name> – up to 12 characters.

2

Specify a security zone description.

esr(config-zone)# description <description>

<description> – up to 255 characters..

3

Specify VRF instance, in which the given security zone will operate (optional).

esr(config- zone)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

4

Enable session counters for NAT and Firewall (optional, may reduce the performance).

esr(config)# ip firewall sessions counters

5

Disable filtration of packets for which it was not possible to determine belonging to any known connection and which are not the beginning of a new connection (optional, may reduce the performance).

esr(config)# ip firewall sessions allow-unknown

6

Select firewall operation mode (optional)

The firewall by application list is possible only in stateless mode

esr(config)# ip firewall mode <MODE>

<MODE> – firewall operation mode, may take the following values: stateful, stateless.

Default value: stateful

7

Determine the session lifetime for unsupported protocols (optional).

esr(config)# ip firewall sessions generic-timeout <TIME>

<TIME> – session lifetime for unsupported protocols, takes values in seconds [1..8553600].

Default value: 60 seconds.

8

Determine ICMP session lifetime after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions icmp-timeout <TIME>

<TIME> – ICMP session lifetime, takes values in seconds [1..8553600].

Default value: 30 seconds.

9

Determine ICMPv6 session lifetime after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions icmpv6-timeout <TIME>

<TIME> – ICMP session lifetime, takes values in seconds [1..8553600].

Default value: 30 seconds.

10

Determine the size of outstanding sessions table (optional).

esr(config)# ip firewall sessions max-expect <COUNT>

<COUNT>  – table size, takes values of [1..8553600].

Default value: 256.

11

Determine the size of trackable sessions table (optional).

esr(config)# ip firewall sessions max-tracking <COUNT>

<COUNT>  – table size, takes values of [1..8553600].
Default value: 512000.

12

Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions tcp-connect-timeout <TIME>

<TIME> – lifetime of TCP session in “connection is being established” state, takes values in seconds [1..8553600].

Default value: 60 seconds.

13

Determine the lifetime of TCP session in 'connection is being closed' state after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions tcp-disconnect-timeout <TIME>

<TIME> – lifetime of TCP session in “connection is being closed” state, takes values in seconds [1..8553600].
Default value: 30 seconds.

14

Determine the lifetime of TCP session in “connection is being established” state after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions tcp-established-timeout <TIME>

<TIME> – lifetime of TCP session in “connection is being established” state, takes values in seconds [1..8553600].

Default value: 120 seconds.

15

Determine the timeout after which the closed TCP session is actually deleted from the table of trackable sessions (optional).

esr(config)# ip firewall sessions tcp-latecome-timeout <TIME>

<TIME> – timeout, takes value in seconds [1..8553600].

Default value: 120 seconds.

16

Enable application-level session tracking for certain protocols (optional).

esr(config)# ip firewall sessions tracking

<PROTOCOL> - application-level protocol [ftp, h323, pptp, netbios-ns, tftp] sessions of which should be tracked.

<OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters. If a group is not specified, sip sessions monitoring will be performed for 5060 port.

Instead of a certain protocol you can use the “all” key that enables application-level session tracking for all available protocols.

By default - disabled for all protocols.

17

Determine the lifetime of UDP session in “connection is confirmed” state after which it is considered to be outdated (optional).

esr(config)# ip firewall sessions udp-assured-timeout <TIME>

<TIME> – lifetime of UDP session in “connection is confirmed” state, takes values in seconds [1..8553600].

Default value: 180 seconds.

18

Determine the lifetime of UDP session in 'connection is not confirmed' state after which it is considered to be outdated.

esr(config)# ip firewall sessions udp-wait-timeout <TIME>

<TIME> – lifetime of UDP session in “connection is not confirmed” state, takes values in seconds [1..8553600].

Default value: 30 seconds.

19

Create IP addresses lists which will be used during filtration.

esr(config)# object-group network <obj-group-name>

<obj-group-name> – up to 31 characters.

20

Specify IP addresses list description (optional).

esr(config-object-group-network)# description <description>

<description> – profile description, set by the string of up to 255 characters.

21

Add necessary IPv4/IPv6 addresses to the list.

esr(config-object-group-network)# ip prefix <ADDR/LEN>

<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

esr(config-object-group-network)# ip address-range
<FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command.

The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

esr(config-object-group-network)# ipv6 prefix <IPV6-ADDR/LEN>

<IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

esr(config-object-group-network)# ipv6 address-range
<FROM-ADDR>-<TO-ADDR>

<FROM-ADDR> – range starting IPv6 address;

<TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command.

The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

22

Create services lists which will be used during filtration.

esr(config)# object-group service <obj-group-name>

<obj-group-name> – service profile name, set by the string of up to 31 characters.

23

Specify services list description (optional).

esr(config-object-group-service)# description <description>

<description> – profile description, set by the string of up to 255 characters.

24

Add necessary services (tcp/udp ports) to the list.

esr(config-object-group-service)# port-range <port>

<port> – takes values in the range of [1..65535].

You can specify several ports separated by commas “,” or you can specify the range of ports with “-”.

25

Create applications lists which will be used in DPI mechanism.

esr(config)# object-group application <NAME>

<NAME> – application profile name, set by the string of up to 31 characters.

26

Specify applications list description (optional).

esr(config-object-group-application)# description <description>

<description> – profile description, set by the string of up to 255 characters.

27

Add necessary applications to the lists.

esr(config-object-group-application)# application < APPLICATION >

<APPLICATION> – specifies the application covered by the given profile

28

Add interfaces (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) into security zones (optional).

esr(config-if-gi)# security-zone <zone-name>

<zone-name> – up to 12 characters.

Disable Firewall functions on the network interface (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) (optional).

esr(config-if-gi)# ip firewall disable

29

Create an interzone interaction rule set.

esr(config)# security zone-pair <src-zone-name1> <dst-zone-name2>

<src-zone-name> – up to 12 characters.

<dst-zone-name> – up to 12 characters.

30

Create an interzone interaction rule set.

esr(config-zone-pair)# rule <rule-number>

<rule-number> – 1..10000.

31

Specify rule description (optional).

esr(config-zone-rule)# description <description>

<description> – up to 255 characters..

32

Specify the given rule force.

esr(config-zone-rule)# action <action> [ log ]

<action> – permit/deny/reject/netflow-sample/sflow-sample

log – activation key for logging of sessions established according to the given rule.

33

Set name or number of IP for which the rule should work (optional).

esr(config-zone-rule)# match [not] protocol <protocol-type>

<protocol-type> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.

When specifying the “any” value, the rule will work for any protocols.

esr(config-zone-rule)# match [not] protocol-id <protocol-id>

<protocol-id> – IP identification number, takes values of [0x00-0xFF].

34

Specify the profile of transmitter IP addresses for which the rule should work (optional).

esr(config-zone-rule)# match [not] source-address <OBJ-GROUP-NETWORK-NAME>

<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient IP address.

35

Set the profile of destination IP addresses for which the rule should work (optional).

esr(config-zone-rule)# match [not] destination-address <OBJ-GROUP-NETWORK-NAME>

36

Set source MAC address for which the rule should work (optional).

esr(config-zone-rule)# match [not] source-mac <mac-addr>

<mac-addr> – defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].

37

Set sender MAC address for which the rule should work (optional).

esr(config-zone-rule)# match [not] destination-mac <mac-addr>

38

Set TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not] source-port <PORT-SET-NAME>

<PORT-SET-NAME> – set by the string of up to 31 characters. When specifying the “any” value, the rule will work for any sender/recipient TCP/UDP port.

39

Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified).

esr(config-zone-rule)# match [not] destination-port <PORT-SET-NAME>

40

Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optional).

esr(config-zone-rule)# match [not] icmp <ICMP_TYPE> <ICMP_CODE>

<ICMP_TYPE> – ICMP message type, takes values of [0..255].

<ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the “any” value, the rule will work for any ICMP message code.

41

Set the limitation under which the rule will only work for traffic modified by the IP address and destination ports translation service.

esr(config-zone-rule)# match [not] destination-nat

42

Set the maximum packet rate (optional, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# rate-limit pps <rate-pps>

<rate-pps> – maximum amount of packets that can be transmitted. Takes values in the range of [1..10000].

43

Set the filtration only for fragmented IP packets (optional, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# match [not] fragment

44

Set the filtration only for IP packets including ip-option (optional, available only for zone-pair any self and zone-pair <zone-name> any).

esr(config-zone-pair-rule)# match [not] ip-option

45

Create an interzone interaction rule.

esr(config-zone-rule)# enable

46

Enable filtering and session tracking mode while packets are transmitted between one Bridge group participants (optional, available only for ESR-1000/1200/1500/1511/1700
/3100)

esr(config-bridge)# ports firewall enable

1

Create access control list and switch to its configuration mode.

esr(config)# ip access-list extended <NAME>

<NAME> – access control list name, set by the string of up to 31 characters.

2

Specify the description of a configurable access control list (optional).

esr(config-acl)# description <DESCRIPTION>

<DESCRIPTION> – access control list description, set by the string of up to 255 characters.

3

Create a rule and switch to its configuration mode.

The rules are proceeded by the router in number ascending order.

esr(config-acl)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..4094].

4

Specify the action that should be applied for the traffic meeting the given requirements.

esr(config-acl-rule)# action <ACT>

<ACT> – allocated action:

• permit – traffic transfer is permitted;
• deny – traffic transfer is denied.

5

Set name of protocol for which the rule should work (optional).

esr(config-acl-rule)# match protocol <TYPE>

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the “any” value, the rule will work for any protocols.

esr(config-acl-rule)# match protocol-id <ID>

<ID> – IP identification number, takes values of [0x00-0xFF].

6

Set sender IP addresses for which the rule should work (optional).

esr(config-acl-rule)# match source-address { <ADDR> <MASK> | any }

<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.

When specifying the “any” value, the rule will work for any sender/recipient IP address.

7

Set destination IP addresses for which the rule should work (optional).

esr(config-acl-rule)# match destination-address { <ADDR> <MASK> | any }

8

Set sender MAC addresses for which the rule should work (optional).

esr(config-acl-rule)# match source-mac <ADDR><WILDCARD>

<ADDR> – sender MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].

<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.

9

Set destination MAC addresses for which the rule should work (optional).

esr(config-acl-rule)# match destination-mac <ADDR><WILDCARD>

10

Set the number of sender TCP/UDP ports for which the rule should work (if the protocol is specified).

esr(config-acl-rule)# match source-port { <PORT> | any }

<PORT> – number of sender TCP/UDP port, takes values of [1..65535]. When specifying the “any” value, the rule will work for any sender TCP/UDP port.

11

Set the destination TCP/UDP ports number for which the rule should work (if the protocol is specified).

esr(config-acl-rule)# match destination-port { <PORT> | any }

12

Set priority 802.1p value for which the rule should work (optional).

esr(config-acl-rule)# match с os <COS>

<COS>  – priority 802.1p value, takes values of [0..7].

13

Set DSCP code value for which the rule should work (optional). Can not be used with IP Precedence.

esr(config-acl-rule)# match dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

14

Set IP Precedence code for which the rule should work (optional). Can not be used with DSCP.

esr(config-acl-rule)# match ip-precedence <IPP>

<IPP> – IP Precedence code value, takes values in the range of [0..7].

15

Set VLAN ID for which the rule should work (optional).

esr(config-acl-rule)# match vlan <VID>

<VID>  – VLAN ID, takes values of [1..4094].

16

Activate a rule.

esr(config-acl-rule)# enable

17

Specify access control list for the configured interface to filtrate incoming traffic.

esr(config-if-gi)# service-acl input <NAME>

<NAME> – access control list name, set by the string of up to 31 characters.

1

Create IPS/IDS security policy.

esr(config)# security ips policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters

2

Specify policy description (optional).

esr(config-ips-policy)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

3

Specify the IP address profile that IPS/IDS will protect.

esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.

4

Specify the profile of IP addresses that are external for IPS/IDS (optionally).

esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters.

5

Switch to the IPS/IDS configuration mode.

esr(config)# security ips

6

Assign IPS/IDS security policy.

esr(config-ips)# policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters

7

Use all ESR rosiurces for IPS/IDS (optional).

esr(config-ips)# perfomance max

By default, half of the available processor cores are allocated for IPS/IDS.

8

Set external drive for recording logs in EVE format (optional).

esr(config-ips)# logging storage-path <DEVICE_NAME>

<DEVICE_NAME> the name of the USB or MMC drive.

9

Enable IPS/IDS.

esr(config-ips )# enable

10

Enable IPS/IDS on the interface.

esr(config-if-gi)# service-ips enable

1

Switch to the autoupdate configuration mode

esr(config-ips)# auto-upgrade

2

Specify a name and enter the configuration mode of the user update server.

esr(config-ips-auto-upgrade)# user-server <WORD>

<WORD> – server name, set by the string of up to 32 characters.

3

Specify the description of the user update server (optional).

esr(config-ips-upgrade-user-server)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

4

Specify URL.

esr(config-ips-upgrade-user-server)# url <URL>

<URL> – text field containing URL link of 8-255 characters length.

As an URL-links can be specified:

• rule file with the .rule extension;
• rule classifier file named classification.config;
• directory on the server containing rule files and/or rule classifier file.

5

Set the frequency for update checking (optional).

esr(config-ips-upgrade-user-server)# upgrade interval <HOURS>

<HOURS> – update interval in hours, from 1 to 240.

Default value: 24 hours

https://sslbl.abuse.ch/

SSL Blacklist contains lists of 'bad' SSL certificates, i.e. certificates in respect of which the fact of their use by malware and botnets has been established. The lists contain SHA1 fingerprints of public keys from SSL certificates.

https://feodotracker.abuse.ch/

Feodo Tracker – list of management servers for the Feodo Trojan. Feodo (also known as Cridex or Bugat) is used by cybercriminals to steal sensitive information in the field of electronic banking (credit card information, logins/passwords) from users' computers. Currently, there are four versions of the Trojan (versions A, B, C and D), mainly distinguished by the infrastructure of control servers.

https://rules.emergingthreats.net/open/suricata/rules/botcc.rules

These rules describe well-known botnets and control servers. Sources: Shadowserver.org, Zeus Tracker, Palevo Tracker, Feodo Tracker, Ransomware Tracker.

https://rules.emergingthreats.net/open/suricata/rules/ciarmy.rules

These rules describe malicious hosts by the classification of the www.cinsarmy.com project.

https://rules.emergingthreats.net/open/suricata/rules/compromised.rules

These rules describe well-known compromised and malicious hosts. Ыщгксуы: Daniel Gerzo’s BruteForceBlocker, The OpenBL, Emerging Threats Sandnet, SidReporter Projects.

https://rules.emergingthreats.net/open/suricata/rules/drop.rules

These rules describe spammer hosts/networks by the classification of the www.spamhaus.org project.

https://rules.emergingthreats.net/open/suricata/rules/dshield.rules

These rules describe malicious hosts by the classification of the www.dshield.org project.

https://rules.emergingthreats.net/open/suricata/rules/emerging-activex.rules

These rules contain signatures for using ActiveX content.

https://rules.emergingthreats.net/open/suricata/rules/emerging-attack_response.rules

Rules that detect host behavior after successful attacks.

https://rules.emergingthreats.net/open/suricata/rules/emerging-chat.rules

These rules describe signs of accessing popular chat rooms.

https://rules.emergingthreats.net/open/suricata/rules/emerging-current_events.rules

Temporary rules awaiting possible inclusion in permanent rule lists.

https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules

These rules contain signatures of vulnerabilities in the DNS protocol, signs of the use of DNS by malware, and incorrect use of the DNS protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-dos.rules

These rules contain DOS attack signatures.

https://rules.emergingthreats.net/open/suricata/rules/emerging-exploit.rules

These rules contain exploit signatures.

https://rules.emergingthreats.net/open/suricata/rules/emerging-ftp.rules

These rules contain signatures of vulnerabilities in the FTP protocol, signs of incorrect use of the FTP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-games.rules

These rules describe the signs of reference to popular game sites: World of Warcraft, Starcraft, etc.

https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp.rules

These rules contain signatures of incorrect use of the ICMP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp_info.rules

These rules contain signatures of ICMP information messages.

https://rules.emergingthreats.net/open/suricata/rules/emerging-imap.rules

These rules contain signatures of vulnerabilities in the IMAP protocol, signs of incorrect use of the IMAP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-inappropriate.rules

These rules describe signs of accessing unwanted resources.

https://rules.emergingthreats.net/open/suricata/rules/emerging-info.rules

These rules contain different vulnerabilities signatures.

https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules

These rules contain signatures of malware that uses the HTTP protocol in their work.

https://rules.emergingthreats.net/open/suricata/rules/emerging-misc.rules

These rules contain different vulnerabilities signatures.

https://rules.emergingthreats.net/open/suricata/rules/emerging-mobile_malware.rules

These rules contain malware signatures for mobile platforms.

https://rules.emergingthreats.net/open/suricata/rules/emerging-netbios.rules

These rules contain signatures of vulnerabilities in the NetBIOS protocol, signs of incorrect use of the NetBIOS protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-p2p.rules

These rules describe signs of access to P2P networks (Bittorrent, Gnutella, Limewire).

https://rules.emergingthreats.net/open/suricata/rules/emerging-policy.rules

These rules describe unwanted network activity (access to MySpace, Ebay).

https://rules.emergingthreats.net/open/suricata/rules/emerging-poprules

These rules contain signatures of vulnerabilities in the POP3 protocol, signs of incorrect use of the POP3 protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-rpc.rules

These rules contain signatures of vulnerabilities in the RPC protocol, signs of incorrect use of the RPC protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-scada.rules

These rules contain vulnerability signatures for SCADA systems.

https://rules.emergingthreats.net/open/suricata/rules/emerging-scan.rules

These rules describe signs of activity associated with network scanning (Nessus, Nikto, portscanning).

https://rules.emergingthreats.net/open/suricata/rules/emerging-shellcode.rules

These rules describe signs of activity associated with attempts to gain shell access as a result of exploits.

https://rules.emergingthreats.net/open/suricata/rules/emerging-smtp.rules

These rules contain signatures of vulnerabilities in the SMTP protocol, signs of incorrect use of the SMTP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-sql.rules

These rules contain vulnerability signatures for SQL DBMS.

https://rules.emergingthreats.net/open/suricata/rules/emerging-telnet.rules

These rules contain signatures of vulnerabilities in the telnet protocol, signs of incorrect use of the telnet protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-tftp.rules

These rules contain signatures of vulnerabilities in the TFTP protocol, signs of incorrect use of the TFTP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-trojan.rules

These rules contain signs of network activity of Trojans.

https://rules.emergingthreats.net/open/suricata/rules/emerging-user_agents.rules

These rules contain signs of suspicious and potentially dangerous HTTP clients (identified by the values in the User-Agent HTTP header).

https://rules.emergingthreats.net/open/suricata/rules/emerging-l.rules

These rules contain vulnerability signatures for VOIP protocol.

https://rules.emergingthreats.net/open/suricata/rules/emerging-web_client.rules

These rules contain vulnerability signatures for WEB clients.

https://rules.emergingthreats.net/open/suricata/rules/emerging-web_server.rules

These rules contain vulnerability signatures for WEB servers.

https://rules.emergingthreats.net/open/suricata/rules/emerging-web_specific_apps.rules

These rules contain vulnerability exploitation signatures for WEB applications.

https://rules.emergingthreats.net/open/suricata/rules/emerging-worm.rules

These rules describe signs of network worm activity.

1

Specify a name and enter the configuration mode of the set of user rules.

esr(config)# security ips-category user-defined <WORD>

<WORD> – user rule set name, set by the string of up to 32 characters.

2

Define a description of a set of user rules (optionally).

esr(config-ips-category)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

3

Create a rule and switch to its configuration mode.

esr(config-ips-category)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..512].

4

Specify rule description (optional).

esr(config-ips-category-rule)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

5

Specify the given rule force.

esr(config-ips-category-rule)# action { alert | reject | pass | drop }

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

6

Set name of IP protocol for which the rule should work.

esr(config-ips-category-rule)# protocol <PROTOCOL>

<PROTOCOL> – take values: any/ip/icmp/http/tcp/udp

When specifying the 'any' value, the rule will work for any protocols

7

Set sender IP addresses for which the rule should work.

esr(config-ips-category-rule)# source-address
{ip <ADDR> | ip-prefix <ADDR/LEN> |
object-group <OBJ_GR_NAME> | policy-object-group
{ protect | external } | any }

<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.

• protect – sets sender addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as sender addresses.

When specifying the 'any' value, the rule will be triggered for any source IP address.

8

Set the profile of source TCP/UDP ports for which the rule should work.

For protocol icmp value, source-port can only be any.

esr(config-ips-category-rule)# source-port {any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of sender TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the “any” value, the rule will work for any sender TCP/UDP port.

9

Set destination IP addresses for which the rule should trigger.

esr(config-ips-category-rule)# destination-address
{ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> |
policy-object-group { protect | external } | any }

<<ADDR> – recepient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – recepient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains recepient IP address, set by the string of up to 31 characters.

• protect – sets recepient addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as recepient addresses.

When specifying the “any” value, the rule will work for any sender IP address.

10

Set the profile of destination TCP/UDP ports for which the rule should work.

For protocol icmp value, destination-port can only be any.

esr(config-ips-category-rule)# destination-port
{any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of destination TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

11

Set traffic direction for which the rule should trigger.

esr(config-ips-category-rule)# direction { one-way | round-trip }

• one-way – traffic is transmitted in one direction.
• round-trip – traffic is transmitted in both directions.

12

Define the message that IPS/IDS will record to the log when this rule will trigger.

esr(config-ips-category-rule)# meta log-message <MESSAGE>

<MESSAGE> –  text message, specified by a string of up to 129 characters.

13

Define the traffic classification which will record to the log when this rule will trigger (optional).

esr(config-ips-category-rule)# meta classification-type
{ not-suspicious | unknown | bad-unknown | attempted-recon |
successful-recon-limited | successful-recon-largescale |
attempted-dos | successful-dos | attempted-user |
unsuccessful-user | successful-user | attempted-admin |
successful-admin | rpc-portmap-decode | shellcode-detect |
string-detect | suspicious-filename-detect | suspicious-login |  system-call-detect | tcp-connection | trojan-activity |
unusual-client-port-connection | network-scan |
denial-of-service | non-standard-protocol |
protocol-command-decode | web-application-activity |
web-application-attack | misc-activity | misc-attack |
icmp-event | inappropriate-content | policy-violation |
default-login-attempt }

• not-suspicious – not suspicious traffic;
• unknown – unknown traffic.
• bad-unknown – potentially bad traffic.
• attempted-recon – information leak attempt.
• successful-recon-limited – information leak.
• successful-recon-largescale – large-scale information leak.
• attempted-dos – denial of service attempt.
• successful-dos – denial of service.
• attempted-user – attempt to obtain user privileges.
• unsuccessful-user – unsuccessful attempt to obtain user privileges.
• successful-user – successful attempt to obtain user privileges.
• successful-admin – successful attempt to obtain admin privileges.
• successful-admin – successful attempt to obtain admin privileges.
• rpc-portmap-decode – RPC request decoding.
• shellcode-detect – executable code detected.
• string-detect – suspicious string detected.
• suspicious-filename-detect – suspicious filename was detected.
• suspicious-login – attempt to log in using a suspicious username was deteceted.
• system-call-detect – system call was detected.
• tcp-connection – TCP connection was detected.
• trojan-activity – network Trojan was detected.
• unusual-client-port-connection – the client used an unusual port.
• network-scan – network scan was detected.
• denial-of-service – denial of service attack was detected.
• non-standard-protocol – custom protocol or event was detected.
• protocol-command-decode – encryption attempt was detected.
• web-application-activity – access to a potentially vulnerable web application.
• web-application-attack – attack on web application.
• misc-activity – other activity.
• misc-attack – other attacks.
• icmp-event – general ICMP event.
• inappropriate-content – inappropriate content was detected.
• policy-violation – potential breach of corporate privacy.
• default-login-attempt – login attempt using a standard login/password.

14

Set DSCP code value for which the rule should work (optional).

esr(config-ips-category-rule)# ip dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

15

Set the packet lifetime (TTL) value for which the rule will trigger (optional).

esr(config-ips-category-rule)# ip ttl <TTL>

<TTL> – TTL value, takes values in the range of [1..255].

16

Set number of IP for which the rule should work (optional).

Applicable only for protocol any value.

esr(config-ips-category-rule)# ip protocol-id <ID>

<ID> – IP identification number, takes values of [1..255].

17

Set ICMP CODE value for which the rule should trigger (optional).

Applicable only for protocol icmp value.

esr(config-ips-category-rule)# ip icmp code <CODE>

<CODE> – ICMP CODE value, takes a value in the range [0..255].

esr(config-ips-category-rule)# ip icmp code comparison-operator
{ greater-than | less-than }

Comparison operator for ip icmp code value:

• greater-than – greater than..
• less-than – less than..

18

Set ICMP ID value for which the rule should trigger (optional).

Applicable only for protocol icmp value.

esr(config-ips-category-rule)# ip icmp id <ID>

<ID> – ICMP ID value, takes a value in the range [0..65535].

19

Set ICMP Sequence-ID value for which the rule should trigger (optional).

Applicable only for protocol icmp value.

esr(config-ips-category-rule)# ip icmp sequence-id <SEQ-ID>

<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].

20

Set ICMP TYPE value for which the rule should trigger (optional).

Applicable only for protocol icmp value.

esr(config-ips-category-rule)# ip icmp type <TYPE>

<TYPE> – ICMP TYPE value, takes a value in the range [0..255].

esr(config-ips-category-rule)# ip icmp type comparison-operator
{ greater-than | less-than }

Comparison operator for ip icmp type value:

• greater-than – greater than..
• less-than – less than..

21

Set TCP Acknowledgement-Number value for which the rule should trigger (optional).

Applicable only for protocol tcp value.

esr(config-ips-category-rule)# ip tcp acknowledgment-number <ACK-NUM>

<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].

22

Set TCP Sequence-ID value for which the rule should trigger (optional).

Applicable only for protocol tcp value.

esr(config-ips-category-rule)# ip tcp sequence-id <SEQ-ID>

<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].

23

Set TCP Window-Size value for which the rule should trigger (optional).

Applicable only for protocol tcp value.

esr(config-ips-category-rule)# ip tcp window-size <SIZE>

<SIZE> – TCP Window-Size value, takes a value in the range [0..65535].

24

Set HTTP protocol keywords for which the rule will trigger (optional).

Applicable only for protocol http value.

esr(config-ips-category-rule)# ip http { accept | accept-enc |
accept-lang | client-body | connection | content-type | cookie |  file-data | header | header-names | host | method | protocol |
referer | request-line | response-line | server-body | start |
start-code | start-msg | uri | user-agent }

See the Suricata 4.X documentation for the meaning of the keywords.

https://suricata.readthedocs.io/en/suricata-4.1.4/rules/http-keywords.html

25

Set HTTP protocol URI LEN keyword value for which the rule will trigger (optional).

Applicable only for protocol http value.

esr(config-ips-category-rule)# ip http urilen <LEN>

<LEN> – takes values in the range of [0.. 65535].

esr(config-ips-category-rule)# ip http urilen comparison-operator
{ greater-than | less-than }

Comparison operator for ip http urilen value:

• greater-than – greater than..
• less-than – less than..

26

Set the value of the content of packages (Payload content) for which the rule will trigger (optional).

esr(config-ips-category-rule)# payload content <CONTENT>

<CONTENT> – text message specified by a string of up to 1024 characters.

27

Do not distinguish between uppercase and lowercase letters in the description of package contents (optional).

Only applicable in conjunction with the payload content command.

esr(config-ips-category-rule)# payload no-case

28

Set how many bytes from the beginning of the contents of the packet will be checked (optional).

Only applicable in conjunction with the payload content command.

esr(config-ips-category-rule)# payload depth <DEPTH>

<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].

By default, the entire contents of the package are checked.

29

Set the number of offset bytes from the beginning of the contents of the packet to check (optional).

Only applicable in conjunction with the payload content command.

esr(config-ips-category-rule)# payload offset <OFFSET>

<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].

By default, it is checked from the beginning of the content.

30

Set the size of the contents of packets for which the rule will trigger (optional).

esr(config-ips-category-rule)# payload data-size <SIZE>

<SIZE> – packet content size, takes values in the range of [0.. 65535].

esr(config-ips-category-rule)# payload data-size
comparison-operator { greater-than | less-than }

Comparison operator for payload data-size value:

• greater-than – greater than..
• less-than – less than.

31

Specify the threshold number of packets at which the rule will trigger (optional).

esr(config-ips-category-rule)# threshold count <COUNT>

<COUNT> – number of packets, takes values in the range of [1.. 65535].

32

Specify the time interval for which the threshold number of packets is considered

(Mandatory if threshold count is enabled).

esr(config-ips-category-rule)# threshold second <SECOND>

<SECOND> – time interval in seconds, takes values in the range of [1.. 65535].

33

Specify at the sender or recipient address thresholds will be considered.

(Mandatory if threshold count is enabled).

esr(config-ips-category-rule)# threshold track
{ by-src | by-dst }

• by-src – read threshold value for packets with the same IP sender.
• by-dst – read threshold value for packets with the same IP recipient.

34

Specify threshold handling method.

esr(config-ips-category-rule)# threshold type
{threshold | limit | both }

• threshold – display a message every time a threshold is reached.
• limit – issue a message no more than <COUNT> times per time interval <SECOND>.
• both – threshold and limit combination.

A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the <SECOND> time interval.

35

Activate a rule.

esr(config-ips-category-rule)# enable

1

Specify a name and enter the configuration mode of the set of user rules.

esr(config)# security ips-category user-defined <WORD>

<WORD> – user rule set name, set by the string of up to 32 characters.

2

Define a description of a set of user rules (optionally).

esr(config-ips-category)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

3

Create extended rule and switch to its configuration mode.

esr(config-ips-category)# rule-advanced <SID>

<SID> – rule number, takes values of [1..4294967295].

4

Specify rule description (optional).

esr(config-ips-category-rule-advanced)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

5

Specify the given rule force.

esr(config-ips-category-rule-advanced)# rule-text <LINE>

6

Activate a rule.

esr(config-ips-category-rule-advanced)# enable

1

Go to the content provider configuration.

esr (config)# content-provider

2

Specify edm server IP address.

esr (config-content-provider)# host address <A.B.C.D | WORD | X:X:X:X::X>

<IP-ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

WORD(1-31) - DNS name of the server.

3

Set the port to connect to the edm server.

esr (config-content-provider)# host port <PORT> 

<PORT> – number of sender TCP/UDP port, takes values of [1..65535].

4

Set the type and partition of the external device to create a crypto store.

esr (config-content-provider)# storage-device <DEVICE>

<DEVICE> – label and partition name on the external storage in the format of usb://Partion_name:/

mmc://Partion_name:/

5

Set the time to reboot the device after receiving the certificate.

esr (config-content-provider)# reboot immediately | [time <HH:MM:SS>]

Restart the device after receiving the certificate.

time <HH:MM:SS> – The time at which ESR will reboot <hours:minutes:seconds>.

6

Enable content provider.

enable

7

Set the interval for accessing the edm server in hours.

esr (config-content-provider)# upgrade interval <1-240>

8

Specify description (optional).

esr (config-content-provider)# description edm

LINE (1-255) String describing server

9

Create IP addresses lists which will be used during filtration.

esr (config)# object-group network <WORD>esr (config-object-group-network)# ip prefix <ADDR/LEN>

<WORD> – server name, set by the string of up to 32 characters.

<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

10

Enable service-ips on interface.

esr (config)# interface gigabitethernet 1/0/Xesr (config-if-gi)# service-ips enable

11

Create IPS/IDS security policy.

esr (config)# security ips policy WORD(1-31)

WORD(1-31)

12

Specify the IP address profile that IPS/IDS will protect.

esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.

13

Enter the vendor configuration section.

esr (config-ips-policy)# vendor kaspersky

14

Connect the desired category.

esr (config-ips-vendor)# category WORD(1-64)

Phishing URL Data Feed – Phishing URL data streams

Malicious URL Data Feed – Malicious URL data streams

Botnet C&C URL Data Feed – Botnet C&C URL data streams

Malicious Hash Data Feed – Malicious Hashes data streams

Mobile Malicious Hash Data Feed – mobile Malicious Hashes data streams

IP Reputation Data Feed – IP address data streams

Mobile Botnet Data Feed – mobile Botnet data streams

Ransomware URL Data Feed – Ransomware URL data stream

Botnet C&C URL Exact Data Feed – Botnet C&C URL Exact data stream

Phishing URL Exact Data Feed – Phishing URL Exact data stream

Malicious URL Exact Data Feed – Malicious URL Exact data stream

Iot URL Data Feed – IoT URL data stream

15

Specify rule type.

esr (config-ips-vendor-category)# rules action <ACTION>

<ACTION> - drop | reject | alert | pass – actions to be applied to packages.

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

16

Set the number of downloadable rules.

esr (config-ips-vendor-category)# rules count <number>

<number>

17

Enable category

enable

18

Switch to the IPS/IDS configuration mode.

esr (config)# security ips

19

Assign IPS/IDS security policy.

esr(config-ips)# policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters.

20

Use all ESR rosiurces for IPS/IDS (optional).

esr(config-ips)# perfomance max

21

Set USB drive for recording logs in EVE format (optional).

esr(config-ips)# logging storage-path <DEVICE_NAME>

<DEVICE> – label and partition name on the external storage in the format of usb://Partion_name:/

mmc://Partion_name:/

22

Enable IPS/IDS.

esr(config- ips )# enable

1

Define DNS server IP address used for DNS names resolution.

esr(config)# domain name-server <IP>

<IP> –  IP address of DNS server being used, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

2

Enable DNS name resolution on the device

esr(config)# domain lookup enable

3

Create IPS/IDS security policy.

esr(config)# security ips policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters.

4

Specify policy description (optional).

esr(config-ips-policy)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

5

Create IP addresses lists which will be used during filtration.

esr (config)# object-group network <WORD>

esr (config-object-group-network)# ip prefix <ADDR/LEN>

<WORD> – server name, set by the string of up to 32 characters.

<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

6

Specify the IP address profile that IPS/IDS will protect.

esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.

7

Specify the profile of IP addresses that are external for IPS/IDS (optionally).

esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters.

8

Create a content filter category profile

esr(config)# object-group content-filter <NAME>

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

9

Set the description of the content filter categories profile (optional).

esr(config-object-group-content-filter)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

10

Set the content filtering category provider.

esr(config-object-group-content-filter)# vendor <CONTENT-FILTER-VENDOR>

<CONTENT-FILTER-VENDOR> – name of the content filtering category provider. In the current version of the software, only Kaspersky Lab can act as a content filtering category provider.

11

Set the necessary categories of content filtering

esr(config-object-group-cf-kaspersky)# category <CATEGORY>

<CATEGORY> – category name. A description of the available categories can be found in the CLI command reference.

12

Switch to the IPS/IDS configuration mode.

esr(config)# security ips

13

Assign IPS/IDS security policy.

esr(config-ips)# policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters.

14

Use all ESR rosiurces for IPS/IDS (optional).

esr(config-ips)# perfomance max

By default, half of the available processor cores are allocated for IPS/IDS.

15

Set external drive for recording logs in EVE format (optional).

esr(config-ips)# logging storage-path <DEVICE_NAME>

<DEVICE_NAME> the name of the USB or MMC drive.

16

Enable IPS/IDS.

esr(config-ips )# enable

17

Enable IPS/IDS on the interface.

esr(config-if-gi)# service-ips enable

18

Specify a name and enter the configuration mode of the set of user rules.

esr(config)# security ips-category user-defined <WORD>

<WORD> – user rule set name, set by the string of up to 32 characters.

19

Define a description of a set of user rules (optionally).

esr(config-ips-category)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

20

Create a rule and switch to its configuration mode.

esr(config-ips-category)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..512].

21

Specify rule description (optional).

esr(config-ips-category-rule)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

22

Specify the given rule force.

esr(config-ips-category-rule)# action { alert | reject | pass | drop }

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

23

Set the IP protocol to HTTP.

esr(config-ips-category-rule)# protocol http

24

Set sender IP addresses for which the rule should work.

esr(config-ips-category-rule)# source-address
{ip <ADDR> | ip-prefix <ADDR/LEN> |  object-group <OBJ_GR_NAME> | policy-object-group  { protect | external } | any }

<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.

• protect – sets sender addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as sender addresses.

When specifying the 'any' value, the rule will be triggered for any source IP address.

25

Set the profile of source TCP ports for which the rule should work.

esr(config-ips-category-rule)# source-port {any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of sender TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the “any” value, the rule will work for any sender TCP/UDP port.

26

Set destination IP addresses for which the rule should trigger.

esr(config-ips-category-rule)# destination-address
{ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> |
policy-object-group { protect | external } | any }

<<ADDR> – recepient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – recepient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains recepient IP address, set by the string of up to 31 characters.

• protect – sets recepient addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as recepient addresses.

When specifying the “any” value, the rule will work for any sender IP address.

27

Set the profile of destination TCP ports for which the rule should trigger.

Normally TCP port 80 is used for the http protocol.

In cases where web servers are used on non-standard ports need to write these ports too.

esr(config-ips-category-rule)# destination-port  {any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of destination TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

28

Set traffic direction for which the rule should trigger.

esr(config-ips-category-rule)# direction { one-way | round-trip }

• one-way – traffic is transmitted in one direction.
• round-trip – traffic is transmitted in both directions.

29

Define the message that IPS/IDS will record to the log when this rule will trigger.

esr(config-ips-category-rule)# meta log-message <MESSAGE>

<MESSAGE> – text message specified by a string of up to 129 characters.

30

Assign a content filter category profile

esr(config-ips-category-rule)# ip http content-filter <NAME>

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

any – rule will trigger for http sites of any category.

31

Activate a rule.

esr(config-ips-category-rule)# enable

1

Configure router network name.

esr(config)# hostname <NAME>

<NAME> - up to 64 characters.

2

Assign domain name for the router.

esr(config)# domain name <NAME>

<NAME> - up to 255 characters.

3

Assign DNS server IP address used for DNS names resolution.

esr(config)# domain name-server <IP>

<IP> – in the format of AAA.BBB.CCC.DDD, where each part takes values from 0 to 255.

4

Enable DNS name resolution.

esr(config)# domain lookup enable

5

Create an "Antispam" service profile

esr(config)# security antispam profile <NAME>

<NAME> - up to 31 characters.

6

Set the description of the "Antispam" service profile (optional).

esr(config-antispam-profile)# description <DESCRIPTION>

<DESCRIPTION> – up to 255 characters.

7

Set the marking type for e-mails that the "Antispam" service classifies as "Spam".

esr(config-antispam-profile)# mark-type <MARK-TYPE>

<MARK-TYPE> – the marking type of an email categorized as "Spam". Possible values:

• header – add the X-Spam header to email headers;
• subject – add the [SPAM] tag before the subject of the email.

8

Create the mail domain profile and mailbox addresses (optional).

esr(config)# object-group email <NAME>

<NAME> - up to 31 characters.

9

Set the description of the mail domain profile and mailbox addresses (optional).

esr(config-object-group-email)# description <DESCRIPTION>

<DESCRIPTION> – up to 255 characters.

10

Enter the mail domain or mailbox address into the profile (optional).

esr(config-object-group-email)# email <NAME>

<NAME> - up to 63 characters.

11

Create a rule in the "Antispam" service profile (optional).

esr(config-antispam-profile)# rule <ORDER>

<ORDER> – rule number, may take values from 1..100.

12

Set the description of the "Antispam" service profile rule (optional).

esr(config-antispam-profile)# description <DESCRIPTION>

<DESCRIPTION> – up to 255 characters.

13

Specify the profile of transmitter IP addresses for which the rule should work (optional).

esr(config-antispam-profile-rule)# sender ip <NAME>

<NAME> - up to 31 characters.

14

Set the profile of mail domains and mailbox addresses for which the rule should trigger (optional).

esr(config-antispam-profile-rule)# sender email <NAME>

<NAME> - up to 31 characters.

15

Specify the action for the rule.

esr(config-antispam-profile-rule)# action <ACTION>

<ACTION> – assigned action. Possible values:

• reject – further delivery of the letter is prohibited, the sender of the letter is sent a reply about the error.

16

Enable a rule in the "Antispam" service profile (optional).

esr(config-antispam-profile-rule)# enable

17

Create mail domain.

esr(config)# mailserver domain <DOMAIN-NAME>

<DOMAIN-NAME> - up to 31 characters.

18

Set the description of the email domain (optional).

esr(config-mailserver-domain)# description <DESCRIPTION>

<DESCRIPTION> – up to 255 characters.

19

Set the name of the email domain to be served.

esr(config-mailserver-domain)# mail domain <NAME>

<NAME> - up to 63 characters.

20

Set the IP address of the mail server for which the "Antispam" service on ESR acts as SMTP Proxy.

esr(config-mailserver-domain)# mail server ip <ADDR>

<ADDR> – in the format of AAA.BBB.CCC.DDD, where each part takes values from 0 to 255.

21

Set the "Antispam" service profile, the settings of which will be applied to the current email domain.

esr(config-mailserver-domain)# profile antispam <NAME>

<NAME> - up to 63 characters.

22

Enable mail domain.

esr(config-mailserver-domain)# enable

23

Proceed to the mail server configuration.

esr(config)# mailserver

24

Set the name of the email domain.

esr(config-mailserver)# domain <NAME>

<NAME> - up to 63 characters.

25

Specify certificates and keys for the TLS protocol (optional).

esr(config-mailserver)# tls keyfile <TYPE> <NAME>

<TYPE> – type of certificate or key file. Possible values:

• ca – certificate authority;
• server-key – private server key;
• server-crt – public server certificate;
• dh – Diffie-Hellman key.

<NAME> – certificate file name, set by the string of up to 31 characters. 

26

Enable TLS support on the mail server (optional). If TLS is enabled, the configuration must include a preset CA certificate, server private key and public server certificate.

esr(config-mailserver)# tls enable

27

Set the maximum size of email headers in KB (optional).

esr(config-mailserver)# headers max-size <SIZE>

<SIZE> - the maximum size of email headers in KB, takes values from 50 to 200.

28

Set the maximum email size in KB (optional).

esr(config-mailserver)# mail max-size <SIZE>

<SIZE> - the maximum email size in KB, takes values from 5120 to 51200.

29

Enable mandatory HELO or EHLO SMTP command when establishing an SMTP session (optional).

esr(config-mailserver)# smtp helo-required

30

Enable the VRFY SMTP command on the mail server during an SMTP session (optional).

esr(config-mailserver)# smtp vrfy-enable

31

Enable mail server.

esr(config-mailserver)# enable