config ips sensor
Configure IPS sensor.
config ips sensor
Description: Configure IPS sensor.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set block-malicious-url [disable|enable]
set scan-botnet-connections [disable|block|...]
set extended-log [enable|disable]
config entries
Description: IPS sensor filter.
edit <id>
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set application {user}
set default-action [all|pass|...]
set default-status [all|enable|...]
set cve <cve-entry1>, <cve-entry2>, ...
set vuln-type <id1>, <id2>, ...
set last-modified {user}
set status [disable|enable|...]
set log [disable|enable]
set log-packet [disable|enable]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
config exempt-ip
Description: Traffic from selected source or destination IP addresses is exempt from this signature.
edit <id>
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
next
end
config ips sensor
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
comment |
Comment. |
var-string |
Not Specified |
|
||||||||
replacemsg-group |
Replacement message group. |
string |
Not Specified |
|
||||||||
block-malicious-url |
Enable/disable malicious URL blocking. |
option |
- |
disable |
||||||||
|
|
|||||||||||
scan-botnet-connections |
Block or monitor connections to Botnet servers, or disable Botnet scanning. |
option |
- |
disable |
||||||||
|
|
|||||||||||
extended-log |
Enable/disable extended logging. |
option |
- |
disable |
||||||||
|
|
config entries
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
rule |
Identifies the predefined or custom IPS signatures to add to the sensor. Rule IPS. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||
location |
Protect client or server traffic. |
user |
Not Specified |
all |
||||||||||||
severity |
Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. |
user |
Not Specified |
all |
||||||||||||
protocol |
Protocols to be examined. Use all for every protocol and other for unlisted protocols. |
user |
Not Specified |
all |
||||||||||||
os |
Operating systems to be protected. Use all for every operating system and other for unlisted operating systems. |
user |
Not Specified |
all |
||||||||||||
application |
Operating systems to be protected. Use all for every application and other for unlisted application. |
user |
Not Specified |
all |
||||||||||||
default-action |
Signature default action filter. |
option |
- |
all |
||||||||||||
|
|
|||||||||||||||
default-status |
Signature default status filter. |
option |
- |
all |
||||||||||||
|
|
|||||||||||||||
cve |
List of CVE IDs of the signatures to add to the sensor. CVE IDs or CVE wildcards. |
string |
Maximum length: 19 |
|
||||||||||||
vuln-type |
List of signature vulnerability types to filter by. Vulnerability type ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||
last-modified |
Filter by signature last modified date. Formats: before <date>, after <date>, between <start-date> <end-date>. |
user |
Not Specified |
|
||||||||||||
status |
Status of the signatures included in filter. Only those filters with a status to enable are used. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
log |
Enable/disable logging of signatures included in filter. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
log-packet |
Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
log-attack-context |
Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
action |
Action taken with traffic in which signatures are detected. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
rate-count |
Count of the rate. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||
rate-duration |
Duration (sec) of the rate. |
integer |
Minimum value: 1 Maximum value: 65535 |
60 |
||||||||||||
rate-mode |
Rate limit mode. |
option |
- |
continuous |
||||||||||||
|
|
|||||||||||||||
rate-track |
Track the packet protocol field. |
option |
- |
none |
||||||||||||
|
|
|||||||||||||||
quarantine |
Quarantine method. |
option |
- |
none |
||||||||||||
|
|
|||||||||||||||
quarantine-expiry |
Duration of quarantine. . Requires quarantine set to attacker. |
user |
Not Specified |
5m |
||||||||||||
quarantine-log |
Enable/disable quarantine logging. |
option |
- |
enable |
||||||||||||
|
|
config exempt-ip
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
src-ip |
Source IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |
dst-ip |
Destination IP address and netmask (applies to packet matching the signature). |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |