config ips sensor
Configure IPS sensor.
config ips sensor
Description: Configure IPS sensor.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set block-malicious-url [disable|enable]
set scan-botnet-connections [disable|block|...]
set extended-log [enable|disable]
config entries
Description: IPS sensor filter.
edit <id>
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set application {user}
set cve <cve-entry1>, <cve-entry2>, ...
set status [disable|enable|...]
set log [disable|enable]
set log-packet [disable|enable]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
config exempt-ip
Description: Traffic from selected source or destination IP addresses is exempt from this signature.
edit <id>
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
next
end
config ips sensor
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
name |
Sensor name. |
string |
Maximum length: 35 |
|
||||||||
|
comment |
Comment. |
var-string |
Maximum length: 255 |
|
||||||||
|
replacemsg-group |
Replacement message group. |
string |
Maximum length: 35 |
|
||||||||
|
block-malicious-url |
Enable/disable malicious URL blocking. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
scan-botnet-connections |
Block or monitor connections to Botnet servers, or disable Botnet scanning. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
extended-log |
Enable/disable extended logging. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
config entries
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
id |
Rule ID in IPS database. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||
|
rule |
Identifies the predefined or custom IPS signatures to add to the sensor. Rule IPS. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||
|
location |
Protect client or server traffic. |
user |
Not Specified |
all |
||||||||||||
|
severity |
Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. |
user |
Not Specified |
all |
||||||||||||
|
protocol |
Protocols to be examined. Use all for every protocol and other for unlisted protocols. |
user |
Not Specified |
all |
||||||||||||
|
os |
Operating systems to be protected. Use all for every operating system and other for unlisted operating systems. |
user |
Not Specified |
all |
||||||||||||
|
application |
Operating systems to be protected. Use all for every application and other for unlisted application. |
user |
Not Specified |
all |
||||||||||||
|
cve |
List of CVE IDs of the signatures to add to the sensor. CVE IDs or CVE wildcards. |
string |
Maximum length: 19 |
|
||||||||||||
|
status |
Status of the signatures included in filter. Only those filters with a status to enable are used. |
option |
- |
default |
||||||||||||
|
|
|
|||||||||||||||
|
log |
Enable/disable logging of signatures included in filter. |
option |
- |
enable |
||||||||||||
|
|
|
|||||||||||||||
|
log-packet |
Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
log-attack-context |
Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
action |
Action taken with traffic in which signatures are detected. |
option |
- |
default |
||||||||||||
|
|
|
|||||||||||||||
|
rate-count |
Count of the rate. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||
|
rate-duration |
Duration (sec) of the rate. |
integer |
Minimum value: 1 Maximum value: 65535 |
60 |
||||||||||||
|
rate-mode |
Rate limit mode. |
option |
- |
continuous |
||||||||||||
|
|
|
|||||||||||||||
|
rate-track |
Track the packet protocol field. |
option |
- |
none |
||||||||||||
|
|
|
|||||||||||||||
|
quarantine |
Quarantine method. |
option |
- |
none |
||||||||||||
|
|
|
|||||||||||||||
|
quarantine-expiry |
Duration of quarantine.. Requires quarantine set to attacker. |
user |
Not Specified |
5m |
||||||||||||
|
quarantine-log |
Enable/disable quarantine logging. |
option |
- |
enable |
||||||||||||
|
|
|
|||||||||||||||
config exempt-ip
|
Parameter |
Description |
Type |
Size |
Default |
|---|---|---|---|---|
|
id |
Exempt IP ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
|
src-ip |
Source IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |
|
dst-ip |
Destination IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |