config ips sensor
Configure IPS sensor.
config ips sensor Description: Configure IPS sensor. edit <name> set comment {var-string} set replacemsg-group {string} set block-malicious-url [disable|enable] set scan-botnet-connections [disable|block|...] set extended-log [enable|disable] config entries Description: IPS sensor filter. edit <id> set rule <id1>, <id2>, ... set location {user} set severity {user} set protocol {user} set os {user} set application {user} set default-action [all|pass|...] set default-status [all|enable|...] set cve <cve-entry1>, <cve-entry2>, ... set vuln-type <id1>, <id2>, ... set last-modified {user} set status [disable|enable|...] set log [disable|enable] set log-packet [disable|enable] set log-attack-context [disable|enable] set action [pass|block|...] set rate-count {integer} set rate-duration {integer} set rate-mode [periodical|continuous] set rate-track [none|src-ip|...] config exempt-ip Description: Traffic from selected source or destination IP addresses is exempt from this signature. edit <id> set src-ip {ipv4-classnet} set dst-ip {ipv4-classnet} next end set quarantine [none|attacker] set quarantine-expiry {user} set quarantine-log [disable|enable] next end next end
config ips sensor
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
Sensor name. |
string |
Maximum length: 35 |
|
||||||||
comment |
Comment. |
var-string |
Maximum length: 255 |
|
||||||||
replacemsg-group |
Replacement message group. |
string |
Maximum length: 35 |
|
||||||||
block-malicious-url |
Enable/disable malicious URL blocking. |
option |
- |
disable |
||||||||
|
|
|||||||||||
scan-botnet-connections |
Block or monitor connections to Botnet servers, or disable Botnet scanning. |
option |
- |
disable |
||||||||
|
|
|||||||||||
extended-log |
Enable/disable extended logging. |
option |
- |
disable |
||||||||
|
|
config entries
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
Rule ID in IPS database. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||
rule |
Identifies the predefined or custom IPS signatures to add to the sensor. Rule IPS. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||
location |
Protect client or server traffic. |
user |
Not Specified |
all |
||||||||||||
severity |
Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. |
user |
Not Specified |
all |
||||||||||||
protocol |
Protocols to be examined. Use all for every protocol and other for unlisted protocols. |
user |
Not Specified |
all |
||||||||||||
os |
Operating systems to be protected. Use all for every operating system and other for unlisted operating systems. |
user |
Not Specified |
all |
||||||||||||
application |
Operating systems to be protected. Use all for every application and other for unlisted application. |
user |
Not Specified |
all |
||||||||||||
default-action |
Signature default action filter. |
option |
- |
all |
||||||||||||
|
|
|||||||||||||||
default-status |
Signature default status filter. |
option |
- |
all |
||||||||||||
|
|
|||||||||||||||
cve |
List of CVE IDs of the signatures to add to the sensor. CVE IDs or CVE wildcards. |
string |
Maximum length: 19 |
|
||||||||||||
vuln-type |
List of signature vulnerability types to filter by. Vulnerability type ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||
last-modified |
Filter by signature last modified date. Formats: before <date>, after <date>, between <start-date> <end-date>. |
user |
Not Specified |
|
||||||||||||
status |
Status of the signatures included in filter. Only those filters with a status to enable are used. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
log |
Enable/disable logging of signatures included in filter. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
log-packet |
Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
log-attack-context |
Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
action |
Action taken with traffic in which signatures are detected. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
rate-count |
Count of the rate. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||
rate-duration |
Duration (sec) of the rate. |
integer |
Minimum value: 1 Maximum value: 65535 |
60 |
||||||||||||
rate-mode |
Rate limit mode. |
option |
- |
continuous |
||||||||||||
|
|
|||||||||||||||
rate-track |
Track the packet protocol field. |
option |
- |
none |
||||||||||||
|
|
|||||||||||||||
quarantine |
Quarantine method. |
option |
- |
none |
||||||||||||
|
|
|||||||||||||||
quarantine-expiry |
Duration of quarantine.. Requires quarantine set to attacker. |
user |
Not Specified |
5m |
||||||||||||
quarantine-log |
Enable/disable quarantine logging. |
option |
- |
enable |
||||||||||||
|
|
config exempt-ip
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
id |
Exempt IP ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
src-ip |
Source IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |
dst-ip |
Destination IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |