Contents

IPS commands· 1

action· 1

attack-category· 1

display ips policy· 2

display ips signature· 4

display ips signature { pre-defined | user-defined } 7

display ips signature library· 8

display ips signature user-defined parse-failed· 9

ips apply policy· 10

ips capture-cache· 11

ips parameter-profile· 11

ips policy· 12

ips signature auto-update· 13

ips signature auto-update-now· 14

ips signature import snort 14

ips signature remove snort 16

ips signature rollback· 17

ips signature update· 17

ips signature update-log· 19

object-dir 20

override-current 21

protect-target 21

severity-level 22

signature override· 23

signature override all 24

update schedule· 26

 

IPS commands

action

Use action to configure the action criterion for IPS signature filtering in an IPS policy.

Use undo action to restore the default.

Syntax

action { block-source | drop | permit | reset } *

undo action

Default

The action attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies the block source action.

drop: Specifies the drop action.

permit: Specifies the permit action.

reset: Specifies the reset action.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the actions associated with the signatures.

You can specify multiple actions in an action criterion. The IPS policy uses an IPS signature if the signature is associated with any of the specified actions.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures associated with the drop or reset action.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] action drop reset

attack-category

Use attack-category to specify an attack category criterion to filter IPS signatures in an IPS policy.

Use undo attack-category to delete an attack category criterion.

Syntax

attack-category { category [ subcategory ] | all }

undo attack-category { category [ subcategory | all] }

Default

The attack category attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

category-name: Specifies an attack category.

subcategory: Specifies a subcategory of the attack category. If you do not specify a subcategory, this command matches any IPS signature with a subcategory of the specified attack category.

all: Specifies all attack categories.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the attack category attribute of the signatures.

You can execute this command multiple times to specify multiple attack category criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured  attack category criteria.

Examples

# Configure IPS policy test to use IPS signatures with the SQLInjection attack subcategory of the Vulnerability attack category.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] attack-category Vulnerability SQLInjection

display ips policy

Use display ips policy to display IPS policy information.

Syntax

display ips policy policy-name

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Display information about IPS policy aa.

<Sysname> display ips policy aa

Total signatures        :10929     failed:0

 Pre-defined  signatures:10925     failed:0

 User-defined signatures:4         failed:0

Flag:

  B: Block-Source  D: Drop  P: Permit  Rs: Reset  Rd: Redirect  C: Capture  L: L

ogging

  Pre: predefined  User: user-defined

Type RuleID    Target          SubTarget       Severity Direction Category

  SubCategory     Status  Action

Pre  1         OperationSystem LinuxUnix       High     Server    Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  2         OperationSystem LinuxUnix       High     Server    Vulnerability

  MemoryCorruptio Enable  RsL

Pre  4         OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  Overflow        Enable  RsL

Pre  5         OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  6         Browser         InternetExplore High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  7         Browser         InternetExplore High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  8         ApplicationSoft MediaPlayer     High     Any       Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  9         ApplicationSoft Security        High     Server    Vulnerability

  Overflow        Enable  DL

Pre  10        Browser         InternetExplore High     Server    Vulnerability

  InsecureLibrary Enable  RsL

Pre  11        Browser         InternetExplore High     Any       InformationDis

c SensitiveInfo   Enable  RsL

Pre  12        OfficeSoftware  MicrosoftOffice Critical Any       Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  13        OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  14        ApplicationSoft IM              High     Server    Vulnerability

  InsecureLibrary Enable  RsL

Pre  15        Browser         InternetExplore High     Any       Vulnerability

  RemoteCodeExecu Enable  RsL

…

Table 1 Command output

Field	Description
Total signatures	Total number of IPS signatures.
Pre-defined signatures	Total number of predefined IPS signatures.
User-defined signatures	Total number of user-defined signatures.
Type	Type of the IPS signature: ·     Pre—Predefined IPS signatures. ·     User—User-defined signatures.
RuleID	Signature ID.
Target	Attacked target
SubTarget	Attacked subtarget.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Direction	Traffic direction to which the IPS signature applies: ·     Any—Both server to client and client to server directions. ·     Client—Server to client direction. ·     Server— Client to server direction.
Category	Attack category of the signature.
Subcategory	Attack subcategory of the signature.
Status	Status of the IPS signature, Enabled or Disabled.
Action	Actions for matching packets: ·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. ·     Drop—Drops matching packets. ·     Permit—Permits matching packets to pass. ·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. ·     Redirect—Redirects matching packets to a webpage. ·     Capture—Captures matching packets. ·     Logging—Logs matching packets.

 

Related commands

ips policy

display ips signature

Use display ips signature to display IPS signature information.

Syntax

display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pre-defined: Specifies predefined IPS signatures.

user-defined: Specifies user-defined IPS signatures.

direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.

·     to-server: Specifies the client to server direction of a session.

·     to-client: Specifies the server to client direction of a session.

·     any: Specifies both directions of a session.

category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays IPS signatures for all attack categories.

fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.

·     low: Specifies the low fidelity.

·     medium: Specifies the medium fidelity.

·     high: Specifies the high fidelity.

protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.

severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.

·     low: Specifies the low severity level.

·     medium: Specifies the medium severity level.

·     high: Specifies the high severity level.

·     critical: Specifies the critical severity level.

Usage guidelines

If you do not specify any options, this command displays all IPS signatures.

Examples

# Display predefined IPS signatures of the medium fidelity level for TCP.

<Sysname> display ips signature pre-defined protocol tcp fidelity medium

Pre-defined  signatures:465       failed:0

 

Flag:

  Pre: predefined   User: user-defined

 

Type Sig-ID    Direction Severity Fidelity Category      Protocol

Pre  1         To-server High     Medium   Vulnerability TCP

Pre  2         To-server High     Medium   Vulnerability TCP

Pre  3         To-client High     Medium   Vulnerability TCP

Pre  4         To-client High     Medium   Vulnerability TCP

Pre  5         To-client High     Medium   Vulnerability TCP

Pre  6         To-client High     Medium   Vulnerability TCP

Pre  7         To-client High     Medium   Vulnerability TCP

Pre  8         To-client High     Medium   Vulnerability TCP

Pre  10        To-server High     Medium   Vulnerability TCP

Pre  11        To-client High     Medium   Vulnerability TCP

Pre  12        To-client Critical Medium   Vulnerability TCP

Pre  13        To-client High     Medium   Vulnerability TCP

Pre  14        To-server High     Medium   Vulnerability TCP

Pre  15        To-client High     Medium   Vulnerability TCP

Pre  16        To-client Critical Medium   Vulnerability TCP

Pre  17        To-client High     Medium   Vulnerability TCP

Pre  18        To-client High     Medium   Vulnerability TCP

…

# Display IPS signatures of the high attack severity level for UDP.

<Sysname> display ips signature severity high protocol udp

Total signatures        :7         failed:0

 Pre-defined  signatures:7         failed:0

 User-defined signatures:0         failed:0

 

Flag:

  Pre: predefined   User: user-defined

 

Type Sig-ID    Direction Severity Fidelity Category      Protocol

Pre  9         To-server High     Medium   Vulnerability UDP

Pre  45        To-server High     Medium   Vulnerability UDP

Pre  187       Any       High     Medium   Vulnerability UDP

Pre  196       Any       High     Medium   Vulnerability UDP

Pre  223       To-server High     Medium   Vulnerability UDP

Pre  234       To-client High     Medium   Vulnerability UDP

Pre  338       To-client High     Medium   Vulnerability UDP

…

Table 2 Command output

Field	Description
Total signatures	Total number of IPS signatures.
failed	Total number of IPS signatures that failed to be imported and loaded during signature update.
Pre-defined count	Total number of predefined IPS signatures.
User-defined count	Total number of user-defined signatures.
Type	Type of the IPS signature: ·     Pre—Predefined IPS signatures. ·     User—User-defined signatures.
Sig-ID	Signature ID.
Direction	Direction attribute of the signature: ·     any—Specifies both directions of a session. ·     To-server—Specifies the client to server direction of a session. ·     To-client—Specifies the server to client direction of a session.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Category	Attack category of the signature.
Protocol	Protocol attribute of the signature.

 

display ips signature { pre-defined | user-defined }

Use display ips signature { pre-defined | user-defined } to display detailed information about an IPS signature.

Syntax

display ips signature { pre-defined | user-defined } signature-id

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pre-defined: Specifies a predefined signature.

user-defined: Specifies a user-defined signature.

signature-id: Specifies the signature ID. The value range for a predefined signature is 1 to 4294967295, and the value range for a user-defined signatures is 536870913 to 1073741823.

Examples

# Display detailed information about predefined IPS signature 1.

<Sysname> display ips signature pre-defined 1

 Type        : Pre-defined

 Signature ID: 1

 Status      : Enabled

 Action      : Reset & Logging

 Name        : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability

 Protocol    : TCP

 Severity    : High

 Fidelity    : Medium

 Direction   : To-server

 Category    : Vulnerability

 Reference   : CVE-2014-6271;

 Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Table 3 Command output

Field	Description
Type	Type of the IPS signature: ·     Pre—Predefined IPS signatures. ·     User—User-defined signatures.
Signature ID	Signature ID.
Status	Status of the IPS signature, Enabled or Disabled.
Action	Actions for matching packets: ·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. ·     Drop—Drops matching packets. ·     Permit—Permits matching packets to pass. ·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. ·     Capture—Captures matching packets. ·     Logging—Logs matching packets.
Name	Name of the IPS signature.
Protocol	Protocol attribute of the signature.
Severity	Attack severity, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Direction	Direction attribute of the signature: ·     any—Specifies both directions of a session. ·     To-server—Specifies the client to server direction of a session. ·     To-client—Specifies the server to client direction of a session.
Category	Attack category of the signature.
Reference	Reference for the signature.
Description	Description for the signature.

 

display ips signature library

Use display ips signature library to display IPS signature library information.

Syntax

display ips signature library

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display IPS signature library information.

<Sysname> display ips signature library

IPS signature library information:

Type     SigVersion         ReleaseTime               Size

Current  1.02               Fri Sep 13 09:05:35 2014  71594

Last     -                  -                         -

Factory  1.00               Fri Sep 11 09:05:35 2014  71394

Table 4 Command output

Field	Description
Type	Version type of the IPS signature library: ·     Current—Current version. ·     Last—Previous version. ·     Factory—Factory default version.
SigVersion	Version number of the IPS signature library.
ReleaseTime	Release time of the IPS signature library.
Size	Size of the IPS signature file in bytes.

 

display ips signature user-defined parse-failed

Use display ips signature user-defined parse-failed to display information about the user-defined IPS signatures that failed to be parsed during signature import.

Syntax

display ips signature user-defined parse-failed

Views

Any view

Predefined user roles

network-admin

context-admin

Examples

# Display information about the user-defined IPS signatures that failed to be imported

<Sysname> display ips signature user-defined parse-failed

LineNo  SID         Information

1       None        Error: Invalid actions.

                    Tip: Only actions {alert|drop|pass|reject|sdrop|log} are supported

2       1010082     Error: Invalid signature ID.

                    Tip: The signature ID must be in the range of 1 to 536870912

3       1010083     Error: Invalid protocol.

                    Tip: Only protocols {tcp|udp|icmp|ip} are supported

4       1010084     Error: Invalid direction.

                    Tip: Only directions {'<>'|'->'} are supported

Table 5 Command output

Field	Description
LineNo	Line number where the signature is located in the Snort file.
SID	Signature ID.
Information	Signature information: ·     Error—Reason for the parse failure. ·     Tip—Tip for editing the signature rule in the file.

 

Related commands

ips signature import snort

ips apply policy

Use ips apply policy to apply an IPS policy to a DPI application profile.

Use undo ips apply policy to remove the application.

Syntax

ips apply policy policy-name mode { alert | protect }

undo ips apply policy

Default

No IPS policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.

mode: Specifies an IPS policy mode.

alert: Only captures or logs matching packets.

protect: Takes all actions specified for signatures to process matching packets

Usage guidelines

An IPS policy takes effect only after it is applied to a DPI application profile.

You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.

<Sysname> system-view

[Sysname] app-profile sec

[Sysname-app-profile-sec] ips apply policy ips1 mode protect

Related commands

app-profile

ips policy

ips capture-cache

Use ips capture-cache to specify the number of the captured packets to be cached for threat analysis.

Use undo ips capture-cache to restore the default.

Syntax

ips capture-cache number

undo ips capture-cache

Default

The number of the captured packets to be cached is not specified, and the device does not cache any captured packets.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

number: Specifies the number of the captured packets to be cached, in the range of 1 to 10. If the value is set to 1, the device caches only the packet subsequent to the hit packet.

Usage guidelines

This command enables the device to cache the IPS captured packets.

The device caches the number of number-1 packets captured before the hit packet matching the IPS policy and the packet captured after the hit packet. When the packet after the hit packet is cached, the device writes all cached packets and the hit packet into the capture file.

Examples

# Allow the device to cache a maximum of five IPS captured packets.

<Sysname> system-view

[Sysname] ips capture-cache 5

Related commands

inspect capture parameter-profile

signature override

signature override

ips parameter-profile

Use ips parameter-profile to specify a parameter profile for an IPS action.

Use undo ips parameter-profile to remove the parameter profile from an IPS action.

Syntax

ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name

undo ips { block-source | capture | email | logging | redirect } parameter-profile

Default

No parameter profile is specified for an IPS action.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies a parameter profile for the block-source action.

capture: Specifies a parameter profile for the capture action.

email: Specifies a parameter profile for the email action.

logging: Specifies a parameter profile for the logging action.

redirect: Specifies a parameter profile for the redirect action.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to specify the parameter profile used by an IPS action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

For information about configuring parameter profiles, see DPI Configuration Guide.

Examples

# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile ips1

[Sysname-inspect-block-source-ips1] block-period 1111

[Sysname-inspect-block-source-ips1] quit

# Specify the parameter profile ips1 for the block-source action.

[Sysname] ips block-source parameter-profile ips1

Related commands

inspect block-source parameter-profile

inspect capture parameter-profile

inspect logging parameter-profile

inspect email parameter-profile

inspect redirect parameter-profile

ips policy

Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.

Use undo ips policy to delete an IPS policy.

Syntax

ips policy policy-name

undo ips policy policy-name

Default

An IPS policy named default exists.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.

You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.

Examples

# Create IPS policy ips1 and enter its view.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1]

ips signature auto-update

Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

Use undo ips signature auto-update to disable automatic IPS signature library update.

Syntax

ips signature auto-update

undo ips signature auto-update

Default

Automatic IPS signature library update is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.

Examples

# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate]

Related commands

update schedule

ips signature auto-update-now

Use ips signature auto-update-now to trigger an automatic signature library update manually.

Syntax

ips signature auto-update-now

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.

You can execute this command anytime you find a new version of signature library on the H3C website.

Examples

# Trigger an automatic signature library update manually.

<Sysname> system-view

[Sysname] ips signature auto-update-now

ips signature import snort

Use ips signature import snort to import user-defined IPS signatures.

Syntax

ips signature import snort file-path

Default

No user-defined IPS signatures exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

file-path: Specifies the path of the file where the IPS signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.

Usage guidelines

To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.

Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.

To view the imported IPS signatures, use the display ips signature user-defined command.

The following methods are available for IPS signature import:

·     Local method—Imports IPS signatures from a local IPS signature file.

The following describes the format of the file-path parameter for different import scenarios.

 

Import scenario	Format of file-path	Remarks
The import file is stored in the current working directory.	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
The import file is stored in a different directory on the same storage medium.	filename	Before configuring the ips signature import snort command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
The import file is stored on a different storage medium.	path/filename	Before configuring the ips signature import snort command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

 

·     FTP/TFTP method—Imports IPS signatures from an IPS signature file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different import scenarios.

 

Import scenario	Format of file-path	Remarks
The import file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: ·     Colon (:)—%3A or %3a. ·     At sign (@)—%40. ·     Forward slash (/)—%2F or %2f.
The import file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

 

When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:

·     Use the correct syntax for the rule.

·     Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.

·     The SID of the rule must be different from the SIDs of any existing Snort rules on the device.

·     Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.

·     Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.

Examples

# Import IPS signatures from an IPS signature file that is stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules

Related commands

display ips signature user-defined

ips signature remove snort

ips signature remove snort

Use ips signature remove snort to delete all imported user-defined IPS signatures.

Syntax

ips signature remove snort

Views

System view

Predefined user roles

network-admin

context-admin

Examples

# Delete all imported user-defined IPS signatures.

<Sysname> system-view

[Sysname] ips signature remove snort

Related commands

ips signature import snort

ips signature rollback

Use ips signature rollback to roll back the IPS signature library.

Syntax

ips signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

factory: Rolls back the IPS signature library to the factory default version.

last: Rolls back the IPS signature library to the previous version.

Usage guidelines

If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.

Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the IPS signature library to the previous version.

<Sysname> system-view

[Sysname] ips signature rollback last

ips signature update

Use ips signature update to manually update the IPS signature library.

Syntax

ips signature update [ override-current ] file-path

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.

file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.

Usage guidelines

If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:

·     Local update—Updates the IPS signature library by using a locally stored update IPS signature file.

Store the update file on the master device for successful signature library update.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario	Format of file-path	Remarks
The update file is stored in the current working directory.	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
The update file is stored in a different directory on the same storage medium.	filename	Before configuring the ips signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
The update file is stored on a different storage medium.	path/filename	Before configuring the ips signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

 

·     FTP/TFTP update—Updates the IPS signature library by using the file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario	Format of file-path	Remarks
The update file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: ·     Colon (:)—%3A or %3a. ·     At sign (@)—%40. ·     Forward slash (/)—%2F or %2f.
The update file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

 

	NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.

 

Examples

# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] ips signature update ftp://user%3A123:user%40abc%[email protected]/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] ips signature update ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] ips signature update ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] ips signature update dpi/ips-1.0.23-en.dat

ips signature update-log

Use ips signature update-log send-time to enable logging for IPS signature library update and rollback events and daily output of the logs at the specified time.

Use undo ips signature update-log send-time to disable logging for IPS signature library update and rollback events.

Syntax

ips signature update-log send-time time

undo ips signature update-log send-time

Default

Logging for IPS signature library update and rollback events is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time: Specifies the daily log output time, in the format of hh:mm:ss. The value range is 00:00:00 to 23:59:59.

Usage guidelines

This command enables the device to log successful IPS signature library update and rollback events and to output the logs at the specified time.

The device supports outputting IPS signature library update and rollback logs only as fast logs to log hosts. For the IPS logs to be output correctly, make sure the following requirements are met:

·     Fast log output of IPS logs in SGCC format are enabled by using the customlog format dpi ips sgcc command.

·     The log hosts where the IPS logs should be sent are configured by using the customlog host command.

For more information about the preceding commands, see fast log output commands in Network Management and Monitoring Command Reference.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable logging for IPS signature library update and rollback events and set the daily output time to 12:12:12.

<Sysname> system-view

[Sysname] ips signature update-log send-time 12:12:12

object-dir

Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.

Use undo object-dir to restore the default.

Syntax

object-dir { client | server } *

undo object-dir

Default

The direction attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

client: Specifies the server to client direction.

server: Specifies the client to server direction.

Usage guidelines

Each IPS signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.

IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] object-dir client

override-current

Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

Use undo override-current to restore the default.

Syntax

override-current

undo override-current

Default

Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

context-admin

Usage guidelines

Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.

Examples

# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] override-current

Related commands

ips signature auto-update

protect-target

Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.

Use undo protect-target to remove a target criterion.

Syntax

protect-target { target [ subtarget ] | all }

undo protect-target { target [ subtarget ] | all }

Default

The protected target attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

target: Specifies a target.

subtarget: Specifies a subtarget of the target. If you do not specify a subtarget, this command matches any IPS signatures with a subtarget of the specified target.

all: Specifies all targets.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the protected target attribute of the signatures.

You can execute this command multiple times to specify multiple target criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured target criteria.

Examples

# Configure IPS policy test to use IPS signatures with the WebLogic subtarget of the WebServer target.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] protect-target WebServer WebLogic

severity-level

Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

The severity level attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Usage guidelines

Each IPS signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.

This command filters the IPS signatures that an IPS policy uses based on the severity level attribute of the signatures.

You can specify multiple severity levels in a severity level criterion. The IPS policy uses an IPS signature if the signature matches any of the specified severity levels.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures with the critical and medium severity levels.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] severity-level critical medium

signature override

Use signature override to change the status and actions for an IPS signature in an IPS policy.

Use undo signature override to restore the default status and actions for an IPS signature in an IPS policy.

Syntax

signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }

undo signature override { pre-defined | user-defined } signature-id

Default

Predefined IPS signatures use the actions and states defined by the system.

User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

pre-defined: Specifies a predefined IPS signature.

user-defined: Specifies a user-defined IPS signature.

signature-id: Specifies an IPS signature ID in the range of 1 to 536870911.

disable: Disables the IPS signature.

enable: Enables the IPS signature.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

This command is available only for user-defined IPS policies. The signature actions and status in the default IPS policy cannot be modified.

If you execute this command for a signature in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging

Related commands

blacklist enable (security zone view) (Security Command Reference)

blacklist global enable (Security Command Reference)

ips parameter-profile

ips policy

signature override all

signature override all

Use signature override all to specify the IPS actions for an IPS policy.

Use undo signature override all to restore the default.

Syntax

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

undo signature override all

Default

No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.

Views

IPS policy view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

Use this command to specify the global packet processing actions for an IPS policy.

Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.

The system selects the actions for packets matching an IPS signature in the following order:

1.     Actions configured for the IPS signature in the IPS policy (by using the signature override command).

2.     Actions configured for the IPS policy.

3.     Default actions of the IPS signature.

Examples

# Specify actions drop, logging, and capture for IPS policy test.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] signature override all drop logging capture

Related commands

blacklist enable (security zone view) (Security Command Reference)

blacklist global enable (Security Command Reference)

ips parameter-profile

signature override

update schedule

Use update schedule to schedule the time for automatic IPS signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts updating the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

context-admin

Parameters

daily: Updates the IPS signature library every day.

weekly: Updates the IPS signature library every week.

fri: Updates the IPS signature library every Friday.

mon: Updates the IPS signature library every Monday.

sat: Updates the IPS signature library every Saturday.

sun: Updates the IPS signature library every Sunday.

thu: Updates the IPS signature library every Thursday.

tue: Updates the IPS signature library every Tuesday.

wed: Updates the IPS signature library every Wednesday.

start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

·     Start time minus half the tolerance time.

·     Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10

Related commands

ips signature auto-update