Table of Contents

Related Documents

02-IPS commands

Title	Size	Download
02-IPS commands	107.68 KB

IPS commands

Field	Description
Total signatures	Total number of IPS signatures.
Pre-defined signatures	Total number of predefined IPS signatures.
User-defined signatures	Total number of user-defined signatures.
Type	Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures.
RuleID	Signature ID.
Target	Attacked target
SubTarget	Attacked subtarget.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Category	Attack category of the signature.
Status	Status of the IPS signature, Enabled or Disabled.
Action	Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Redirect—Redirects matching packets to a webpage. · Capture—Captures matching packets. · Logging—Logs matching packets.

display ips signature

Use display ips signature to display IPS signature information.

Syntax

display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

pre-defined: Specifies predefined IPS signatures.

user-defined: Specifies user-defined IPS signatures.

direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.

· to-server: Specifies the client to server direction of a session.

· to-client: Specifies the server to client direction of a session.

· any: Specifies both directions of a session.

category category-name: Specifies an attack category. If you do not specify an attack category, this command displays IPS signatures for all attack categories.

fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.

· low: Specifies the low fidelity.

· medium: Specifies the medium fidelity.

· high: Specifies the high fidelity.

protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.

severity { critical | high | low | medium }: Specifies an attack severity. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.

· low: Specifies the low severity level.

· medium: Specifies the medium severity level.

· high: Specifies the high severity level.

· critical: Specifies the critical severity level.

Usage guidelines

If you do not specify any options, this command displays all IPS signatures.

Examples

# Display predefined IPS signatures of the medium fidelity level for TCP.

<Sysname> display ips signature pre-defined protocol tcp fidelity medium

Pre-defined signatures:465 failed:0

Flag:

Pre: predefined User: user-defined

Type Sig-ID Direction Severity Fidelity Category Protocol

Pre 1 To-server High Medium Vulnerability TCP

Pre 2 To-server High Medium Vulnerability TCP

Pre 3 To-client High Medium Vulnerability TCP

Pre 4 To-client High Medium Vulnerability TCP

Pre 5 To-client High Medium Vulnerability TCP

Pre 6 To-client High Medium Vulnerability TCP

Pre 7 To-client High Medium Vulnerability TCP

Pre 8 To-client High Medium Vulnerability TCP

Pre 10 To-server High Medium Vulnerability TCP

Pre 11 To-client High Medium Vulnerability TCP

Pre 12 To-client Critical Medium Vulnerability TCP

Pre 13 To-client High Medium Vulnerability TCP

Pre 14 To-server High Medium Vulnerability TCP

Pre 15 To-client High Medium Vulnerability TCP

Pre 16 To-client Critical Medium Vulnerability TCP

Pre 17 To-client High Medium Vulnerability TCP

Pre 18 To-client High Medium Vulnerability TCP

---- More ----

# Display IPS signatures of the high attack severity level for UDP.

<Sysname> display ips signature severity high protocol udp

Total signatures :7 failed:0

Pre-defined signatures:7 failed:0

User-defined signatures:0 failed:0

Flag:

Pre: predefined User: user-defined

Type Sig-ID Direction Severity Fidelity Category Protocol

Pre 9 To-server High Medium Vulnerability UDP

Pre 45 To-server High Medium Vulnerability UDP

Pre 187 Any High Medium Vulnerability UDP

Pre 196 Any High Medium Vulnerability UDP

Pre 223 To-server High Medium Vulnerability UDP

Pre 234 To-client High Medium Vulnerability UDP

Pre 338 To-client High Medium Vulnerability UDP

Table 2 Command output

Field	Description
Total signatures	Total number of IPS signatures.
failed	Total number of IPS signatures that failed to be imported and loaded during signature update.
Pre-defined count	Total number of predefined IPS signatures.
User-defined count	Total number of user-defined signatures.
Type	Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures.
Sig-ID	Signature ID.
Direction	Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Category	Attack category of the signature.
Protocol	Protocol attribute of the signature.

display ips signature { pre-defined | user-defined }

Use display ips signature { pre-defined | user-defined } to display detailed information about an IPS signature.

Syntax

display ips signature { pre-defined | user-defined } signature-id

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

pre-defined: Specifies a predefined signature.

user-defined: Specifies a user-defined signature.

signature-id: Specifies the signature ID. The value range is 1 to 4294967295.

Examples

# Display detailed information about predefined IPS signature 1.

<Sysname> display ips signature pre-defined 1

Type : Pre-defined

Signature ID: 1

Status : Enabled

Action : Reset & Logging

Name : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability

Protocol : TCP

Severity : High

Fidelity : Medium

Direction : To-server

Category : Vulnerability

Reference : CVE-2014-6271;

Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Table 3 Command output

Field	Description
Type	Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures.
Signature ID	Signature ID.
Status	Status of the IPS signature, Enabled or Disabled.
Action	Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets.
Name	Name of the IPS signature.
Protocol	Protocol attribute of the signature.
Severity	Attack severity, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Direction	Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session.
Category	Attack category of the signature.
Reference	Reference for the signature.
Description	Description for the signature.

display ips signature information

Use display ips signature information to display IPS signature library information.

Syntax

display ips signature information

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display IPS signature library information.

<Sysname> display ips signature information

IPS signature library information:

Type SigVersion ReleaseTime Size

Current 1.02 Fri Sep 13 09:05:35 2014 71594

Last - - -

Factory 1.00 Fri Sep 11 09:05:35 2014 71394

Table 4 Command output

Field	Description
Type	Version type of the IPS signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version.
SigVersion	Version number of the IPS signature library.
ReleaseTime	Release time of the IPS signature library.
Size	Size of the IPS signature file in bytes.

ips parameter-profile

Use ips parameter-profile to specify a parameter profile for an IPS signature action.

Use undo ips parameter-profile to remove the parameter profile from an IPS signature action.

Syntax

ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name

undo ips { block-source | capture | email | logging | redirect } parameter-profile

Default

No parameter profile is specified for an IPS signature action.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

block-source: Specifies a parameter profile for the block-source action.

capture: Specifies a parameter profile for the capture action.

email: Specifies a parameter profile for the email action.

logging: Specifies a parameter profile for the logging action.

redirect: Specifies a parameter profile for the redirect action.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify parameter profiles for IPS signature actions. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

For information about configuring parameter profiles, see DPI Configuration Guide.

Examples

# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile ips1

[Sysname-inspect-block-source-ips1] block-period 1111

[Sysname-inspect-block-source-ips1] quit

# Specify the parameter profile ips1 for the block-source action.

[Sysname] ips block-source parameter-profile ips1

Related commands

inspect block-source parameter-profile

inspect capture parameter-profile

inspect logging parameter-profile

inspect email parameter-profile

inspect redirect parameter-profile

ips apply policy

Use ips apply policy to apply an IPS policy to a DPI application profile.

Use undo ips apply policy to remove the application.

Syntax

ips apply policy policy-name mode { alert | protect }

undo ips apply policy

Default

No IPS policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.

mode: Specifies an IPS policy mode.

alert: Only captures or logs matching packets.

protect: Takes all actions specified for signatures to process matching packets

Usage guidelines

You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.

<Sysname> system-view

[Sysname] app-profile sec

[Sysname-app-profile-sec] ips apply policy ips1 mode protect

Related commands

app-profile

ips policy

Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.

Use undo ips policy to delete an IPS policy.

Syntax

ips policy policy-name

undo ips policy policy-name

Default

An IPS policy named default exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.

You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.

Examples

# Create IPS policy ips1 and enter its view.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1]

ips signature auto-update

Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

Use undo ips signature auto-update to disable automatic IPS signature library update.

Syntax

ips signature auto-update

undo ips signature auto-update

Default

Automatic IPS signature library update is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.

Examples

# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate]

Related commands

update schedule

ips signature auto-update-now

Use ips signature auto-update-now to trigger an automatic signature library update manually.

Syntax

ips signature auto-update-now

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.

You can execute this command anytime you find a new version of signature library on the H3C website.

Examples

# Trigger an automatic signature library update manually.

<Sysname> system-view

[Sysname] ips signature auto-update-now

ips signature import snort

Use ips signature import snort to import user-defined IPS signatures.

Syntax

ips signature import snort file-path

Default

No user-defined IPS signatures exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

file-path: Specifies the path of the file where the IPS signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.

Usage guidelines

To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.

Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.

The following methods are available for IPS signature import:

· Local method—Imports IPS signatures from a local IPS signature file.

The following describes the format of the file-path parameter for different import scenarios.

Import scenario	Format of file-path	Remarks
The import file is stored in the current working directory.	filename	To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference).
The import file is stored in a different directory on the same storage medium.	path/filename	N/A
The import file is stored on a different storage medium.	path/filename	Use the cd command to open the root directory of the storage medium where the file is stored before you import the IPS signatures. For information about the cd command, see file system management in Fundamentals Command Reference.

· FTP/TFTP method—Imports IPS signatures from an IPS signature file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different import scenarios.

Import scenario	Format of file-path	Remarks
The import file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f.
The import file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

Import scenario

Format of file-path

Remarks

The import file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

· Colon (:)—%3A or %3a.

· At sign (@)—%40.

· Forward slash (/)—%2F or %2f.

The import file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:

· Use the correct syntax for the rule.

· Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.

· Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.

· Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.

Examples

# Import IPS signatures from an IPS signature file that is stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules

ips signature rollback

Use ips signature rollback to roll back the IPS signature library.

Syntax

ips signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

factory: Rolls back the IPS signature library to the factory default version.

last: Rolls back the IPS signature library to the previous version.

Usage guidelines

If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.

Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the IPS signature library to the previous version.

<Sysname> system-view

[Sysname] ips signature rollback last

ips signature update

Use ips signature update to manually update the IPS signature library.

Syntax

ips signature update [ override-current ] file-path

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.

file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.

Usage guidelines

If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:

· Local update—Updates the IPS signature library on the device by using the locally stored update IPS signature file.

Store the update file on the correct location for successful signature library update:

? In standalone mode, store the update file on the active MPU.

? In IRF mode, store the update file on the global active MPU.

The following describes the format of the file-path parameter for different update scenarios.

Update scenario	Format of file-path	Remarks
The update file is stored in the current working directory.	filename	To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference).
The update file is stored in a different directory on the same storage medium.	path/filename	N/A
The update file is stored on a different storage medium.	path/filename	Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

· FTP/TFTP update—Updates the IPS signature library on the device by using the file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different update scenarios.

Update scenario	Format of file-path	Remarks
The update file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f.
The update file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

Update scenario

Format of file-path

Remarks

The update file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

· Colon (:)—%3A or %3a.

· At sign (@)—%40.

· Forward slash (/)—%2F or %2f.

The update file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

NOTE:

To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.

Examples

# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] ips signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system

[Sysname] ips signature update ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system

[Sysname] ips signature update dpi/ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.

<Sysname> cd cfb0:/

<Sysname> system

[Sysname] ips signature update dpi/ips-1.0.23-en.dat

object-dir

Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.

Use undo object-dir to restore the default.

Syntax

object-dir { client | server } *

undo object-dir

Default

An IPS policy uses all enabled IPS signatures on the device.

Views

IPS policy view

Predefined user roles

network-admin

mdc-admin

Parameters

client: Specifies the server to client direction.

server: Specifies the client to server direction.

Usage guidelines

Each IPS signature has a direction attribute that defines the type of traffic to which the signature applies. The direction attributes include To-server, To-client, and Any.

IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.

Examples

# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.

<sysname> system-view

[sysname] ips policy test

[sysname-ips-policy-test] object-dir client

override-current

Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

Use undo override-current to restore the default.

Syntax

override-current

undo override-current

Default

Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.

Examples

# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] override-current

Related commands

ips signature auto-update

protect-target

Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.

Use undo protect-target to remove a target criterion.

Syntax

protect-target { all | target [ subtarget ] }

undo protect-target { all | target [ subtarget ] }

Default

An IPS policy uses all enabled IPS signatures on the device.

Views

IPS policy view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Specifies all IPS signatures.

target: Specifies a target attribute.

subtarget: Specifies a subtarget attribute. If you do not specify this argument, the IPS policy includes all IPS signatures with the specified target attribute.

Usage guidelines

Each IPS signature has a target attribute and a subtarget attribute that define the category and type of targets being protected.

You can execute this command multiple times to set multiple target criteria for an IPS policy. The policy will use only IPS signatures with the specified target and subtarget attributes.

To view the IPS signature filtering configuration of an IPS policy, execute the display this command in IPS policy view.

Examples

# Configure IPS policy test to include IPS signatures with the WebServer target attribute and the WebLogic subtarget attribute.

<sysname> system-view

[sysname] ips policy test

[sysname-ips-policy-test] protected-target WebServer WebLogic

severity-level

Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

An IPS policy uses all enabled IPS signatures.

Views

IPS policy view

Predefined user roles

network-admin

mdc-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Examples

# Configure IPS policy test to include IPS signatures with the critical and medium severity levels.

<sysname> system-view

[sysname] ips policy test

[sysname-ips-policy-test] severity-level critical medium

signature override

Use signature override to enable or disable an IPS signature, or change the actions for matching packets.

Use undo signature override to restore the default for an IPS signature.

Syntax

signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }

undo signature override { pre-defined | user-defined } signature-id

Default

Predefined IPS signatures use the actions and states defined by the system.

User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.

Views

IPS policy view

Predefined user roles

network-admin

mdc-admin

Parameters

pre-defined: Specifies a predefined IPS signature.

user-defined: Specifies a user-defined IPS signature.

signature-id: Specifies an IPS signature ID in the range of 1 to 536870911.

disable: Disables the IPS signature.

enable: Enables the IPS signature.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

This command is available only for user-defined IPS policies.

If you execute this command for a signature multiple times, the most recent configuration takes effect.

To use a signature, enable the signature and change the actions for matching packets as required. To stop using a signature and reserve it for future use, disable the signature.

If a packet does not match any IPS signatures, the system permits the packet to pass.

If a packet matches only one IPS signature, the system takes the actions specified for the signature.

If a packet matches multiple IPS signatures, the system uses the following rules to determine the actions to take:

· If the IPS signatures have two or more actions among block-source, drop, permit, and reset, the system takes the action of the highest priority. The actions in descending order of priority are reset, block-source/drop, and permit.

· The device will execute the block-source, capture, and logging actions if they are in the matching IPS signatures.

Examples

# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging

Related commands

blacklist enable (security zone view) (Security Command Reference)

blacklist global enable (Security Command Reference)

ips parameter-profile

ips policy

signature override all

Use signature override all to specify the IPS actions for an IPS policy.

Use undo signature override all to restore the default.

Syntax

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

undo signature override all

Default

No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.

Views

IPS policy view

Predefined user roles

network-admin

mdc-admin

Parameters

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

Use this command to specify the global packet processing actions for an IPS policy.

Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.

The system selects the actions for packets matching an IPS signature in the following order:

1. Actions configured for the IPS signature in the IPS policy (by using the signature override command).

2. Actions configured for the IPS policy.

3. Default actions of the IPS signature.

Examples

# Specify actions drop, logging, and capture for IPS policy text.

<sysname> system-view

[sysname] ips policy test

[sysname-ips-policy-test] signature override all drop logging capture

Related commands

blacklist enable (security zone view) (Security Command Reference)

blacklist global enable (Security Command Reference)

ips parameter-profile

update schedule

Use update schedule to schedule the time for automatic IPS signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts updating the IPS signature library at a random time between 02:01:00 and 04:01:00 every day.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

mdc-admin

Parameters

daily: Updates the IPS signature library every day.

weekly: Updates the IPS signature library every week.

fri: Updates the IPS signature library every Friday.

mon: Updates the IPS signature library every Monday.

sat: Updates the IPS signature library every Saturday.

sun: Updates the IPS signature library every Sunday.

thu: Updates the IPS signature library every Thursday.

tue: Updates the IPS signature library every Tuesday.

wed: Updates the IPS signature library every Wednesday.

start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

· Start time minus half the tolerance time.

· Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10

Related commands

ips signature auto-update

17-DPI Command Reference

IPS commands

ips parameter-profile

ips apply policy

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us