IPS/IDS general commands
description
This command changes the description.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-IPS-CATEGORY
CONFIG-IPS-CATEGORY-RULE
CONFIG-IPS-CATEGORY-RULE-ADVANCED
CONFIG-IPS-POLICY
CONFIG-IPS-UPGRADE-USER-SERVER
Example
esr(config-ips-upgrade-user-server)# description "Etnetera aggressive IP blacklist"
enable
This command activates the IPS/IDS service and its rules.
The use of a negative form (no) of the command deactivates the IPS/IDS service.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
IPS/IDS service is not activated.
Required privilege level
15
Command mode
CONFIG-IPS
CONFIG-IPS-CATEGORY-RULE
CONFIG-IPS-CATEGORY-RULE-ADVANCED
Example
esr(config-ips)# enable
show security ips counters
This command scans IPS/IDS service counters.
Syntax
show security ips counters
Required privilege level
10
Command mode
ROOT
Example
esr# show security ips counters TCP flows processed : 34687 Alerts generated : 456 Blocked by ips engine : 78 Accepted by ips engine : 1356436
IPS/IDS policy configuration
external network-group
This command sets the IP address profile, which the IPS/IDS service will consider unreliable.
The IP address profile must be pre-created.
The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.
Syntax
external network-group <OBJ-GROUP-NETWORK-NAME>
no external network-group
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPS-POLICY
Example
esr(config-ips-policy)# external network-group WAN
protect network-group
This command sets the IP address profile that the IPS/IDS service will protect.
The IP address profile must be pre-created.
The use of a negative form (no) of the command removes the configured profile from the IPS/IDS service settings.
Syntax
protect network-group <OBJ-GROUP-NETWORK-NAME>
no protect network-group
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPS-POLICY
Example
esr(config-ips-policy)# protect network-group LAN
security ips policy
This command creates an IPS/IDS service settings policy with a specific name and switches to the policy configuration mode.
The use of a negative form (no) of the command removes the configured policy of the IPS/IDS service settings.
Syntax
[no] security ips policy <POLICY_NAME>
Parameters
<POLICY_NAME> – IPS/IDS service policy name, specified by a string of up to 32 characters.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ips policy OFFICE
IPS configuration
logging storage-device
This command sets the name of the USB drive to which the log files of the IPS/IDS service in the EVE format (elasticsearch) will be written.
The use of a negative form (no) of the command stops recording log files.
Syntax
logging storage-device <DEVICE_NAME>
no logging storage-device
Parameters
<DEVICE_NAME> – USB storage device name.
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# logging storage-device usb://DATA
security ips
This command creates an IPS/IDS service profile and switch to its configuration mode.
Syntax
security ips
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# security ips
performance max
This command allows the IPS/IDS service to use all of the device’s resources for maximum performance. It is recommended to use when the device is used exclusively as IPS/IDS. It is not recommended to use when, in addition to IPS/IDS, the device performs other functions (routing, BRAS, etc.).
The use of a negative form (no) of the command frees up part of the device’s resources for use by other services.
Syntax
[no] performance max
Default value
ESR-10/12V/12VF/14VF – 1 core;
ESR-20/21/100/200 – 2 cores;
ESR-1000/1200/1500 – 6 cores;
ESR-1510 – 11 cores;
ESR-1700 – 21 cores.
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# perfomance max
policy
This command assigns the previously created IPS/IDS service settings policy.
The use of a negative form (no) of the command removes the assigned policy of the IPS/IDS service settings.
Syntax
policy <POLICY_NAME>
no policy
Parameters
<POLICY_NAME> – IPS service policy name, specified by a string of up to 32 characters.
Required privilege level
10
Command mode
CONFIG-IPS
Example
esr(config-ips)# policy OFFICE
service-ips enable
This command is used to enable the IPS/IDS service on the network interface.
The use of a negative form (no) of the command disables the IPS/IDS service on the network interface.
Syntax
[no] service-ips enable
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-MULTILINK
Example
esr(config-if-gi)# service-ips enable
Configuration of IPS/IDS rules autoupdate from external sources
auto-upgrade
This command switches to the configuration mode of the sources of rule updates for the service.
Syntax
auto-upgrade
Required privilege level
15
Command mode
CONFIG-IPS
Example
esr(config-ips)# auto-upgrade
upgrade interval
This command sets the frequency with which the device will check for the updates for IPS/IDS rules and/or IPS/IDS classifier file for this url.
The use of a negative form (no) of the command sets the default value.
Syntax
upgrade interval <HOURS>
no upgrade interval
Parameters
<HOURS> – update interval in hours, from 1 to 240.
Default value
24
Required privilege level
15
Command mode
CONFIG-IPS-UPGRADE-USER-SERVER
Example
esr(config-ips-upgrade-user-server)# upgrade interval 36
url
The command specifies URL link.
The use of a negative form (no) of the command removes the link from the IPS/IDS rule update source configuration.
Syntax
url <URL>
no url
Parameters
<URL> – text field containing URL link of 8-255 characters length.
As an URL-links can be specified:
- rule file with the .rule extension.
- rule classifier file named classification.config
- directory on the server containing rule files and/or rule classifier file.
Required privilege level
15
Command mode
CONFIG-IPS-UPGRADE-USER-SERVER
Example
esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/rules/
user-server
This command sets the name of the user IPS/IDS rule update server and switches to the configuration mode of the user update server settings.
The use of a negative form (no) of the command removes the user IPS/IDS rule update server and all the rules received from this server.
Syntax
user-server <WORD>
no user-server {<WORD>|all}
Parameters
<WORD> – server name, specified by the string from 1 to 31 characters long.
Required privilege level
15
Command mode
CONFIG-IPS-AUTO-UPGRADE
Example
esr(config-ips-auto-upgrade)# user-server ET-Open
User IPS/IDS rules configuration
action
The command specifies the action that should be applied for the traffic meeting this requirements.
The use of a negative form (no) of the command removes an assigned action.
Syntax
action { alert | reject | pass | drop }
no action
Parameters:
alert – traffic is allowed and the IPS/IDS service generates a message
reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recepient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message
pass – traffic transfer is permitted;
drop – traffic is prohibited and the IPS/IDS service generates a message.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# action reject
destination-address
The command sets destination IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
destination-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no destination-address
Parameters
<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
<OBJ_GR_NAME> – name of IP addresses profile that contains destination IP address, set by the string of up to 31 characters.
destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as destination addresses
destination-address policy-object-group external –sets external addresses defined in IPS/IDS policy as destination addresses
When specifying the 'any' value, the rule will be triggered for any source IP address.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# destination-address ip 10.10.10.1
destination-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command removes the assignment.
Syntax
destination-port {any | <PORT> | object-group <OBJ-GR-NAME> }
no destination-port
Parameters
<PORT> – number of destination TCP/UDP port, takes values of [1..65535].
<OBJ_GR_NAME> – recepient TCP/UDP ports profile name, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# destination-port 22
direction
This command sets traffic direction for which the rule should be triggered.
The use of a negative form (no) of the command removes the assignment.
Syntax
direction { one-way | round-trip }
no direction
Parameters
one-way – traffic is transmitted in one direction.
round-trip – traffic is transmitted in both directions.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# direction one-way
ip dscp
This command sets the value of the DSCP code, the traffic of which will be processed in this rule.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip dscp <DSCP>
[no] ip dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip dscp 8
ip http
This command sets the HTTP keyword values for which the rule should be triggered.
This command is applicable only for protocol http value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip http <COMMAND>
[no] ip http
Parameters
<COMMAND> – can take the following values:
- accept
- accept-enc
- accept-lang
- client-body
- connection
- content-len
- content-type
- cookie
- file-data
- header
- header-names
- host
- method
- protocol
- referer
- request-line
- response-line
- server-body
- start
- stat-code
- stat-msg
- uri
- urilen
- urilen comparison-operator
- user-agent
The values and application of the HTTP keywords are detailed described in the SNORT 2.X/Suricata 4.X documentation.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «HTTP/1.0» esr(config-ips-category-rule)# ip http protocol
ip icmp code
This command sets the ICMP CODE value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp code <CODE>
[no] ip icmp code
Parameters
<CODE> – ICMP CODE value, takes a value in the range [0..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp code 5
ip icmp code comparison-operator
Comparison operator for ip icmp code command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip icmp code comparison-operator { greater-than | less-than }
[no] ip icmp code comparison-operator
Parameters
greater-than – greater than.
less-than – less then.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp code 5 esr(config-ips-category-rule)# ip icmp code comparison-operator less-than
ip icmp id
This command sets the ICMP ID value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp id <ID>
[no] ip icmp id
Parameters
<ID> – ICMP ID value, takes a value in the range [0..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp id 65000
ip icmp sequence id
This command sets the ICMP sequence-ID value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp sequence-id <SEQ-ID>
[no] ip icmp sequence-id
Parameters
<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp sequence-id 8388608
ip icmp type
This command sets the ICMP TYPE value at which the rule will be triggered.
This command is applicable only for protocol icmp value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip icmp type <TYPE>
[no] ip icmp type
Parameters
<TYPE> – ICMP TYPE value, takes a value in the range [0..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp type 12
ip icmp type comparison-operator
Comparison operator for ip icmp type command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip icmp type comparison-operator { greater-than | less-than }
[no] ip icmp type comparison-operator
Parameters
greater-than – greater than.
less-than – less then.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip icmp type 14 esr(config-ips-category-rule)# ip icmp code comparison-operator greater-than
ip protocol-id
This command sets the IP identification number, the traffic of which will be processed in this rule.
This command is applicable only for protocol any value.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip protocol-id <ID>
[no] ip protocol-id
Parameters
<ID> – IP identification number [1..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip protocol-id 250
ip tcp acknowledgment-number
This command sets the TCP Acknowledgment-Number at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp acknowledgment-number <ACK-NUM>
[no] ip tcp acknowledgment-number
Parameters
<<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp acknowledgment-number 32
ip tcp sequence-id
This command sets the TCP Sequence-ID value at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp sequence-id <SEQ-ID>
[no] ip tcp sequence-id
Parameters
<<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp sequence-id 2542
ip tcp window-size
This command sets the TCP Window Size at which the rule will be triggered.
This command is applicable only for protocol tcp value
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip tcp window-size <SIZE>
[no] ip tcp window-size
Parameters
<SIZE> – TCP Window-Size value, takes a value in the range [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip tcp window-size 50
ip ttl
This command sets the value of the IP packet lifetime, the traffic of which will be processed in this rule.
The use of a negative form (no) of the command cancels the assignment.
Syntax
ip ttl <TTL>
[no] ip ttl
Parameters
<TTL> – IP packet life time, takes value in the range of [1..255].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip ttl 8
ip ttl comparison-operator
Comparison operator for ip ttl command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
ip ttl comparison-operator { greater-than | less-than }
[no] ip ttl comparison-operator
Parameters
greater-than – greater than.
less-than – less then.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# ip ttl 5 esr(config-ips-category-rule)# ip ttl comparison-operator less-than
meta classification-type
This command defines the classification of the event that the IPS/IDS service will generate when the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
meta classification-type { not-suspicious | unknown | bad-unknown | attempted-recon | successful-recon-limited | successful-recon-largescale | attempted-dos | successful-dos | attempted-user | unsuccessful-user | successful-user | attempted-admin | successful-admin | rpc-portmap-decode | shellcode-detect | string-detect | suspicious-filename-detect | suspicious-login | system-call-detect | tcp-connection | trojan-activity | unusual-client-port-connection | network-scan | denial-of-service | non-standard-protocol | protocol-command-decode | web-application-activity | web-application-attack | misc-activity | misc-attack | icmp-event | inappropriate-content | policy-violation | default-login-attempt }
[no] mera log-message
Parameters
not-suspicious – not suspicious traffic.
unknown – unknown traffic.
bad-unknown – potentially bad traffic.
attempted-recon – information leak attempt.
successful-recon-limited – information leak.
successful-recon-largescale – large-scale information leak.
attempted-dos – denial of service attempt.
successful-dos – denial of service.
attempted-user – attempt to obtain user privileges.
unsuccessful-user – unsuccessful attempt to obtain user privileges.
successful-user – successful attempt to obtain user privileges.
attempted-admin – attempt to obtain admin privileges.
successful-admin – successful attempt to obtain admin privileges.
rpc-portmap-decode – RPC request decoding.
shellcode-detect – executable code detected.
string-detect – suspicious string detected.
suspicious-filename-detect – suspicious filename was detected.
suspicious-login – attempt to log in using a suspicious username was deteceted.
system-call-detect – system call was detected.
tcp-connection – TCP connection was detected.
trojan-activity – network Trojan was detected.
unusual-client-port-connection – the client used an unusual port.
network-scan – network scan was detected.
denial-of-service – denial of service attack was detected.
non-standard-protocol – custom protocol or event was detected.
protocol-command-decode – encryption attempt was detected.
web-application-activity – access to a potentially vulnerable web application.
web-application-attack – attack on web application.
misc-activity – other activity.
misc-attack – other attacks.
icmp-event – general ICMP event.
inappropriate-content – inappropriate content was detected.
policy-violation – potential breach of corporate privacy.
default-login-attempt – login attempt using a standard login/password.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# meta classification-type misc-attack
meta log-message
This command defines the text message that the IPS/IDS service will generate when the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
meta log-message <MESSAGE>
[no] mera log-message
Parameters
<MESSAGE> – text message, specified by a string of up to 128 characters.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# meta log-message «Possible SlowLorys attack»
payload content
This command specifies the contents of IP packets, if matched, the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload content <CONTENT>
[no] payload content <CONTENT>
Parameters
<CONTENT> – text message, specified by a string of up to 1024 characters.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «virus»
payload data-size
This command sets the packet content size at which the rule will be triggered.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload data-size <SIZE>
[no] payload data-size
Parameters
<SIZE> – packet content size, takes values in the range of [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload data-size 1024
payload data-size comparison-operator
Comparison operator for ip icmp type command. Applicable only in conjunction with this command.
The use of a negative form (no) of the command cancels the comparison.
Syntax
payload data-size comparison-operator { greater-than | less-than }
[no] payload data-size comparison-operator
Parameters
greater-than – greater than.
less-than – less then.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload data-size 1024 esr(config-ips-category-rule)# payload data-size comparison-operator less-than
payload depth
This command indicates how many bytes from the beginning of the packet contents will be checked by this rule. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload offset command.
The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.
Syntax
payload depth <DEPTH>
[no] payload content depth
Parameters
<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «abc» esr(config-ips-category-rule)# payload depth 3
Под действие правила попадут пакеты с содержимым «abcdef», «abc123», «abcabcabc» и т.д.
payload no-case
This command points not to distinguish uppercase and lowercase letters in the description of package contents. This command is used in conjunction with the payload content command only.
The use of a negative form (no) of the command cancels the assignment.
Syntax
payload no-case
[no] payload content no-case
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «virus» esr(config-ips-category-rule)# payload no-case
Под действие правила попадут пакеты с содержимым «virus», «VIRUS», «ViRuS» и т.д.
payload offset
This command specifies the number of offset bytes from the beginning of the contents of the packet from which the check will begin. This command is used in conjunction with the payload content command only. It can be used in conjunction with the payload depth command.
The use of a negative form (no) of the command means that the entire contents of the package will be checked for exact compliance.
Syntax
payload offset <OFFSET>
[no] payload content offset
Parameters
<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# payload content «abc» esr(config-ips-category-rule)# payload depth 6 esr(config-ips-category-rule)# payload offset 3
Packets with the contents of '123abcdef', 'defabc', 'abcabcabc', etc., will fall under the rule.
protocol
The command sets name of IP for which the rule should work. The use of a negative form (no) of the command cancels the assignment.
Syntax
protocol { any | ip | icmp | http | tcp | udp }
[no] protocol
Parameters
any – the rule will be triggered for any protocols.
ip – the rule will be triggered for ip. You can configure additional filtering in the rule with the ip protocol-id command.
icmp – the rule will be triggered for icmp. When this option is selected, the values of source-port and destination-port must be any. You can configure additional filtering in the rule with the ip icmp commands.
http – the rule will be triggered for http. You can configure additional filtering in the rule with the ip http commands.
tсp – the rule will be triggered for tсp. You can configure additional filtering in the rule with the ip tcp commands.
udp – the rule will be triggered for udp. You can configure additional filtering in the rule with the ip udp commands.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# protocol udp
rule
The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE configuration mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..256].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY
Example
esr(config-ips-category)# rule 10 esr(config-ips-category-rule)#
security ips-category user-defined
This command creates a set of IPS/IDS service user rules with a specific name and switches to the configuration mode of this set.
The use of a negative form (no) of the command removes the configured policy of the IPS service settings.
Syntax
[no] security ips-category user-defined <CATEGORY_NAME>
Parameters
<CATEGORY_NAME> – name of the set of IPS/IDS service user rules, specified by a string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# security ips-category user-defined PROTOCOL esr(config-ips-category)#
source-address
The command sets source IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
source-address {ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> | policy-object-group { protect | external } | any }
no source-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].
<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.
destination-address policy-object-group protect – sets protect addresses defined in IPS/IDS policy as source addresses
destination-address policy-object-group external –sets external addresses defined in IPS/IDS policy as source addresses
When specifying the 'any' value, the rule will be triggered for any source IP address.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# source-address ip-prefix 192.168.0.0/16
source-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command removes the assignment.
Syntax
source-port {any | <PORT> | object-group <OBJ-GR-NAME> }
no source-port
Parameters
<PORT> – number of source TCP/UDP port, takes values of [1..65535].
<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.
When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# source-port 22
threshold count
This command specifies the threshold number of packets at which the rule will be triggered.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold count <COUNT>
[no] threshold count
Parameters
<COUNT> – number of packets, takes values in the range of [1..65535]
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold count 1024
threshold second
This command sets the time interval for which the threshold value is considered. packets at which the rule will be triggered. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold second <SECOND>
[no] threshold second
Parameters
<SECOND> – time interval in seconds, takes values in the range of [1..65535].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold second 1
threshold track
This command sets that packets for which threshold values are set will be considered at the address of the sender or recipient. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold track { by-src | by-dst }
[no] threshold track
Parameters
by-src – read threshold value for packets with the same IP sender.
by-dst – read threshold value for packets with the same IP recipient.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold track by-src
threshold type
This command sets the threshold processing method. This command is used in conjunction with the threshold count command only.
The use of a negative form (no) of the command removes the assignment.
Syntax
threshold type { treshhold | limit | both }
[no] threshold type
Parameters
threshold – display a message every time a threshold is reached.
limit – issue a message no more than <COUNT> times per time interval <SECOND>.
both – threshold and limit combination. A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the time interval.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE
Example
esr(config-ips-category-rule)# threshold count 1024 esr(config-ips-category-rule)# threshold second 1 esr(config-ips-category-rule)# threshold track by-src esr(config-ips-category-rule)# threshold type treshold
A message will be generated for every X*1025 packet arriving in 1 second from one IP address.
Extended user rules configuration
rule-advances
The command creates a rule and switches to CONFIG-IPS-CATEGORY-RULE-ADVANCED configuration mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule-advanced <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..4294967295].
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE-ADVANCED
Example
esr(config-ips-category)# rule-advanced 10 esr(config-ips-category-rule-advanced)#
rule-text
This command describes the traffic processing rule in SNORT 2.X/Suricata 4.X format
The use of a negative form (no) of the command cancels the assignment.
Syntax
rule-text <LINE>
[no] rule-text
Parameters
<LINE> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters.
When writing rules, the symbol '' needs to be replaced with the symbol '.
Required privilege level
15
Command mode
CONFIG-IPS-CATEGORY-RULE-ADVANCED
Example
esr(config-ips-category-rule-advanced)# rule-text «alert tcp any any -> $HOME_NET any (msg: 'ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet'; flow: established, to_server; content:'_auth'; depth: 20; fast_pattern; content: !'|02 00 00 00|'; within: 4; content: '_ctrl'; content: '_ser'; content: '_tim'; content: '_exp'; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000005; rev: 3; )»