20-DPI Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30020-DPI Command Reference
01-IPS commands
Title Size Download
01-IPS commands 151.97 KB

IPS commands

action

Use action to configure the action criterion for IPS signature filtering in an IPS policy.

Use undo action to restore the default.

Syntax

action { block-source | drop | permit | reset } *

undo action

Default

The action attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

block-source: Specifies the block source action.

drop: Specifies the drop action.

permit: Specifies the permit action.

reset: Specifies the reset action.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the actions associated with the signatures.

You can specify multiple actions in an action criterion. The IPS policy uses an IPS signature if the signature is associated with any of the specified actions.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures associated with the drop or reset action.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] action drop reset

attack-category

Use attack-category to specify an attack category criterion to filter IPS signatures in an IPS policy.

Use undo attack-category to delete an attack category criterion.

Syntax

attack-category { category [ subcategory ] | all }

undo attack-category { category [ subcategory | all] }

Default

The attack category attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

category-name: Specifies an attack category.

subcategory: Specifies a subcategory of the attack category. If you do not specify a subcategory, this command matches any IPS signature with a subcategory of the specified attack category.

all: Specifies all attack categories.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the attack category attribute of the signatures.

You can execute this command multiple times to specify multiple attack category criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured  attack category criteria.

Examples

# Configure IPS policy test to use IPS signatures with the SQLInjection attack subcategory of the Vulnerability attack category.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] attack-category Vulnerability SQLInjection

display ips policy

Use display ips policy to display IPS policy information.

Syntax

display ips policy policy-name

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Display information about IPS policy aa.

<Sysname> display ips policy aa

Total signatures        :10929     failed:0

 Pre-defined  signatures:10925     failed:0

 User-defined signatures:4         failed:0

Flag:

  B: Block-Source  D: Drop  P: Permit  Rs: Reset  Rd: Redirect  C: Capture  L: L

ogging

  Pre: predefined  User: user-defined

Type RuleID    Target          SubTarget       Severity Direction Category

  SubCategory     Status  Action

Pre  1         OperationSystem LinuxUnix       High     Server    Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  2         OperationSystem LinuxUnix       High     Server    Vulnerability

  MemoryCorruptio Enable  RsL

Pre  4         OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  Overflow        Enable  RsL

Pre  5         OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  6         Browser         InternetExplore High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  7         Browser         InternetExplore High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  8         ApplicationSoft MediaPlayer     High     Any       Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  9         ApplicationSoft Security        High     Server    Vulnerability

  Overflow        Enable  DL

Pre  10        Browser         InternetExplore High     Server    Vulnerability

  InsecureLibrary Enable  RsL

Pre  11        Browser         InternetExplore High     Any       InformationDis

c SensitiveInfo   Enable  RsL

Pre  12        OfficeSoftware  MicrosoftOffice Critical Any       Vulnerability

  RemoteCodeExecu Enable  RsL

Pre  13        OfficeSoftware  MicrosoftOffice High     Any       Vulnerability

  MemoryCorruptio Enable  RsL

Pre  14        ApplicationSoft IM              High     Server    Vulnerability

  InsecureLibrary Enable  RsL

Pre  15        Browser         InternetExplore High     Any       Vulnerability

  RemoteCodeExecu Enable  RsL

Table 1 Command output

Field

Description

Total signatures

Total number of IPS signatures.

Pre-defined signatures

Total number of predefined IPS signatures.

User-defined signatures

Total number of user-defined signatures.

Type

Type of the IPS signature:

·     Pre—Predefined IPS signatures.

·     User—User-defined signatures.

RuleID

Signature ID.

Target

Attacked target

SubTarget

Attacked subtarget.

Severity

Attack severity level of the signature, Low, Medium, High, or Critical.

Direction

Traffic direction to which the IPS signature applies:

·     Any—Both server to client and client to server directions.

·     Client—Server to client direction.

·     Server— Client to server direction.

Category

Attack category of the signature.

Subcategory

Attack subcategory of the signature.

Status

Status of the IPS signature, Enabled or Disabled.

Action

Actions for matching packets:

·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist.

·     Drop—Drops matching packets.

·     Permit—Permits matching packets to pass.

·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages.

·     Redirect—Redirects matching packets to a webpage.

·     Capture—Captures matching packets.

·     Logging—Logs matching packets.

 

Related commands

ips policy

display ips signature

Use display ips signature to display IPS signature information.

Syntax

display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pre-defined: Specifies predefined IPS signatures.

user-defined: Specifies user-defined IPS signatures.

direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.

·     to-server: Specifies the client to server direction of a session.

·     to-client: Specifies the server to client direction of a session.

·     any: Specifies both directions of a session.

category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays IPS signatures for all attack categories.

fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.

·     low: Specifies the low fidelity.

·     medium: Specifies the medium fidelity.

·     high: Specifies the high fidelity.

protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.

severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.

·     low: Specifies the low severity level.

·     medium: Specifies the medium severity level.

·     high: Specifies the high severity level.

·     critical: Specifies the critical severity level.

Usage guidelines

If you do not specify any options, this command displays all IPS signatures.

Examples

# Display predefined IPS signatures of the medium fidelity level for TCP.

<Sysname> display ips signature pre-defined protocol tcp fidelity medium

Pre-defined  signatures:465       failed:0

 

Flag:

  Pre: predefined   User: user-defined

 

Type Sig-ID    Direction Severity Fidelity Category      Protocol

Pre  1         To-server High     Medium   Vulnerability TCP

Pre  2         To-server High     Medium   Vulnerability TCP

Pre  3         To-client High     Medium   Vulnerability TCP

Pre  4         To-client High     Medium   Vulnerability TCP

Pre  5         To-client High     Medium   Vulnerability TCP

Pre  6         To-client High     Medium   Vulnerability TCP

Pre  7         To-client High     Medium   Vulnerability TCP

Pre  8         To-client High     Medium   Vulnerability TCP

Pre  10        To-server High     Medium   Vulnerability TCP

Pre  11        To-client High     Medium   Vulnerability TCP

Pre  12        To-client Critical Medium   Vulnerability TCP

Pre  13        To-client High     Medium   Vulnerability TCP

Pre  14        To-server High     Medium   Vulnerability TCP

Pre  15        To-client High     Medium   Vulnerability TCP

Pre  16        To-client Critical Medium   Vulnerability TCP

Pre  17        To-client High     Medium   Vulnerability TCP

Pre  18        To-client High     Medium   Vulnerability TCP

# Display IPS signatures of the high attack severity level for UDP.

<Sysname> display ips signature severity high protocol udp

Total signatures        :7         failed:0

 Pre-defined  signatures:7         failed:0

 User-defined signatures:0         failed:0

 

Flag:

  Pre: predefined   User: user-defined

 

Type Sig-ID    Direction Severity Fidelity Category      Protocol

Pre  9         To-server High     Medium   Vulnerability UDP

Pre  45        To-server High     Medium   Vulnerability UDP

Pre  187       Any       High     Medium   Vulnerability UDP

Pre  196       Any       High     Medium   Vulnerability UDP

Pre  223       To-server High     Medium   Vulnerability UDP

Pre  234       To-client High     Medium   Vulnerability UDP

Pre  338       To-client High     Medium   Vulnerability UDP

Table 2 Command output

Field

Description

Total signatures

Total number of IPS signatures.

failed

Total number of IPS signatures that failed to be imported and loaded during signature update.

Pre-defined count

Total number of predefined IPS signatures.

User-defined count

Total number of user-defined signatures.

Type

Type of the IPS signature:

·     Pre—Predefined IPS signatures.

·     User—User-defined signatures.

Sig-ID

Signature ID.

Direction

Direction attribute of the signature:

·     any—Specifies both directions of a session.

·     To-server—Specifies the client to server direction of a session.

·     To-client—Specifies the server to client direction of a session.

Severity

Attack severity level of the signature, Low, Medium, High, or Critical.

Fidelity

Fidelity level of the signature, Low, Medium, or High.

Category

Attack category of the signature.

Protocol

Protocol attribute of the signature.

 

display ips signature { pre-defined | user-defined }

Use display ips signature { pre-defined | user-defined } to display detailed information about an IPS signature.

Syntax

display ips signature { pre-defined | user-defined } signature-id

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pre-defined: Specifies a predefined signature.

user-defined: Specifies a user-defined signature.

signature-id: Specifies the signature ID. The value range is 1 to 4294967295.

Examples

# Display detailed information about predefined IPS signature 1.

<Sysname> display ips signature pre-defined 1

 Type        : Pre-defined

 Signature ID: 1

 Status      : Enabled

 Action      : Reset & Logging

 Name        : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability

 Protocol    : TCP

 Severity    : High

 Fidelity    : Medium

 Direction   : To-server

 Category    : Vulnerability

 Reference   : CVE-2014-6271;

 Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Table 3 Command output

Field

Description

Type

Type of the IPS signature:

·     Pre—Predefined IPS signatures.

·     User—User-defined signatures.

Signature ID

Signature ID.

Status

Status of the IPS signature, Enabled or Disabled.

Action

Actions for matching packets:

·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist.

·     Drop—Drops matching packets.

·     Permit—Permits matching packets to pass.

·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages.

·     Capture—Captures matching packets.

·     Logging—Logs matching packets.

Name

Name of the IPS signature.

Protocol

Protocol attribute of the signature.

Severity

Attack severity, Low, Medium, High, or Critical.

Fidelity

Fidelity level of the signature, Low, Medium, or High.

Direction

Direction attribute of the signature:

·     any—Specifies both directions of a session.

·     To-server—Specifies the client to server direction of a session.

·     To-client—Specifies the server to client direction of a session.

Category

Attack category of the signature.

Reference

Reference for the signature.

Description

Description for the signature.

 

display ips signature information

Use display ips signature information to display IPS signature library information.

Syntax

display ips signature information

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display IPS signature library information.

<Sysname> display ips signature information

IPS signature library information:

Type     SigVersion         ReleaseTime               Size

Current  1.02               Fri Sep 13 09:05:35 2014  71594

Last     -                  -                         -

Factory  1.00               Fri Sep 11 09:05:35 2014  71394

Table 4 Command output

Field

Description

Type

Version type of the IPS signature library:

·     Current—Current version.

·     Last—Previous version.

·     Factory—Factory default version.

SigVersion

Version number of the IPS signature library.

ReleaseTime

Release time of the IPS signature library.

Size

Size of the IPS signature file in bytes.

 

display ips signature user-defined parse-failed

Use display ips signature user-defined parse-failed to display information about the user-defined IPS signatures that failed to be parsed during signature import.

Syntax

display ips signature user-defined parse-failed

Views

Any view

Predefined user roles

network-admin

Examples

# Display information about the user-defined IPS signatures that failed to be imported

<Sysname> display ips signature user-defined parse-failed

LineNo  SID         Information

1       None        Error: Invalid actions.

                    Tip: Only actions {alert|drop|pass|reject|sdrop|log} are supported

2       1010082     Error: Invalid signature ID.

                    Tip: The signature ID must be in the range of 1 to 536870912

3       1010083     Error: Invalid protocol.

                    Tip: Only protocols {tcp|udp|icmp|ip} are supported

4       1010084     Error: Invalid direction.

                    Tip: Only directions {'<>'|'->'} are supported

Table 5 Command output

Field

Description

LineNo

Line number where the signature is located in the Snort file.

SID

Signature ID.

Information

Signature information:

·     Error—Reason for the parse failure.

·     Tip—Tip for editing the signature rule in the file.

 

Related commands

ips signature import snort

ips apply policy

Use ips apply policy to apply an IPS policy to a DPI application profile.

Use undo ips apply policy to remove the application.

Syntax

ips apply policy policy-name mode { alert | protect }

undo ips apply policy

Default

No IPS policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.

mode: Specifies an IPS policy mode.

alert: Only captures or logs matching packets.

protect: Takes all actions specified for signatures to process matching packets

Usage guidelines

An IPS policy takes effect only after it is applied to a DPI application profile.

You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.

<Sysname> system-view

[Sysname] app-profile sec

[Sysname-app-profile-sec] ips apply policy ips1 mode protect

Related commands

app-profile

ips policy

ips parameter-profile

Use ips parameter-profile to specify a parameter profile for an IPS action.

Use undo ips parameter-profile to remove the parameter profile from an IPS action.

Syntax

ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name

undo ips { block-source | capture | email | logging | redirect } parameter-profile

Default

No parameter profile is specified for an IPS action.

Views

System view

Predefined user roles

network-admin

Parameters

block-source: Specifies a parameter profile for the block-source action.

capture: Specifies a parameter profile for the capture action.

email: Specifies a parameter profile for the email action.

logging: Specifies a parameter profile for the logging action.

redirect: Specifies a parameter profile for the redirect action.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to specify the parameter profile used by an IPS action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

For information about configuring parameter profiles, see DPI Configuration Guide.

Examples

# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile ips1

[Sysname-inspect-block-source-ips1] block-period 1111

[Sysname-inspect-block-source-ips1] quit

# Specify the parameter profile ips1 for the block-source action.

[Sysname] ips block-source parameter-profile ips1

Related commands

inspect block-source parameter-profile

inspect capture parameter-profile

inspect logging parameter-profile

inspect email parameter-profile

inspect redirect parameter-profile

ips policy

Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.

Use undo ips policy to delete an IPS policy.

Syntax

ips policy policy-name

undo ips policy policy-name

Default

An IPS policy named default exists.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.

You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.

Examples

# Create IPS policy ips1 and enter its view.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1]

ips signature auto-update

Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

Use undo ips signature auto-update to disable automatic IPS signature library update.

Syntax

ips signature auto-update

undo ips signature auto-update

Default

Automatic IPS signature library update is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.

Examples

# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate]

Related commands

update schedule

ips signature auto-update-now

Use ips signature auto-update-now to trigger an automatic signature library update manually.

Syntax

ips signature auto-update-now

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.

You can execute this command anytime you find a new version of signature library on the H3C website.

Examples

# Trigger an automatic signature library update manually.

<Sysname> system-view

[Sysname] ips signature auto-update-now

ips signature import snort

Use ips signature import snort to import user-defined IPS signatures.

Syntax

ips signature import snort file-path

Default

No user-defined IPS signatures exist.

Views

System view

Predefined user roles

network-admin

Parameters

file-path: Specifies the path of the file where the IPS signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.

Usage guidelines

To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.

Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.

To view the imported IPS signatures, use the display ips signature user-defined command.

The following methods are available for IPS signature import:

·     Local method—Imports IPS signatures from a local IPS signature file.

The following describes the format of the file-path parameter for different import scenarios.

 

Import scenario

Format of file-path

Remarks

The import file is stored in the current working directory.

filename

To display the current working directory, use the pwd command.

For information about the pwd command, see file system management in Fundamentals Command Reference.

The import file is stored in a different directory on the same storage medium.

filename

Before configuring the ips signature import snort command, use the cd command to open the directory where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

The import file is stored on a different storage medium.

path/filename

Before configuring the ips signature import snort command, use the cd command to open the root directory of the storage medium where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

 

·     FTP/TFTP method—Imports IPS signatures from an IPS signature file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different import scenarios.

 

Import scenario

Format of file-path

Remarks

The import file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

·     Colon (:)—%3A or %3a.

·     At sign (@)—%40.

·     Forward slash (/)—%2F or %2f.

The import file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

 

When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:

·     Use the correct syntax for the rule.

·     Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.

·     The SID of the rule must be different from the SIDs of any existing Snort rules on the device.

·     Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.

·     Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.

Examples

# Import IPS signatures from an IPS signature file that is stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules

Related commands

display ips signature user-defined

ips signature remove snort

ips signature remove snort

Use ips signature remove snort to delete all imported user-defined IPS signatures.

Syntax

ips signature remove snort

Views

System view

Predefined user roles

network-admin

Examples

# Delete all imported user-defined IPS signatures.

<Sysname> system-view

[Sysname] ips signature remove snort

Related commands

ips signature import snort

ips signature rollback

Use ips signature rollback to roll back the IPS signature library.

Syntax

ips signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

Parameters

factory: Rolls back the IPS signature library to the factory default version.

last: Rolls back the IPS signature library to the previous version.

Usage guidelines

If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.

Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the IPS signature library to the previous version.

<Sysname> system-view

[Sysname] ips signature rollback last

ips signature update

Use ips signature update to manually update the IPS signature library.

Syntax

ips signature update [ override-current ] file-path

Views

System view

Predefined user roles

network-admin

Parameters

override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.

file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.

Usage guidelines

If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:

·     Local update—Updates the IPS signature library by using a locally stored update IPS signature file.

(In IRF mode.) Store the update file on the master device for successful signature library update.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario

Format of file-path

Remarks

The update file is stored in the current working directory.

filename

To display the current working directory, use the pwd command.

For information about the pwd command, see file system management in Fundamentals Command Reference.

The update file is stored in a different directory on the same storage medium.

filename

Before configuring the ips signature update command, use the cd command to open the directory where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

The update file is stored on a different storage medium.

path/filename

Before configuring the ips signature update command, use the cd command to open the root directory of the storage medium where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

 

·     FTP/TFTP update—Updates the IPS signature library by using the file stored on an FTP or TFTP server.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario

Format of file-path

Remarks

The update file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

·     Colon (:)—%3A or %3a.

·     At sign (@)—%40.

·     Forward slash (/)—%2F or %2f.

The update file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

 

 

NOTE:

To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.

 

Examples

# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] ips signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/ips-1.0.2-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] ips signature update ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] ips signature update ips-1.0.23-en.dat

# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] ips signature update dpi/ips-1.0.23-en.dat

ips signature update-log

Use ips signature update-log send-time to enable logging for IPS signature library update and rollback events and daily output of the logs at the specified time.

Use undo ips signature update-log send-time to disable logging for IPS signature library update and rollback events.

Syntax

ips signature update-log send-time time

undo ips signature update-log send-time

Default

Logging for IPS signature library update and rollback events is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the daily log output time, in the format of hh:mm:ss. The value range is 00:00:00 to 23:59:59.

Usage guidelines

This command enables the device to log successful IPS signature library update and rollback events and to output the logs at the specified time.

The device supports outputting IPS signature library update and rollback logs only as fast logs to log hosts. For the IPS logs to be output correctly, make sure the following requirements are met:

·     Fast log output of IPS logs in SGCC format are enabled by using the customlog format dpi ips sgcc command.

·     The log hosts where the IPS logs should be sent are configured by using the customlog host command.

For more information about the preceding commands, see fast log output commands in Network Management and Monitoring Command Reference.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable logging for IPS signature library update and rollback events and set the daily output time to 12:12:12.

<Sysname> system-view

[Sysname] ips signature update-log send-time 12:12:12

object-dir

Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.

Use undo object-dir to restore the default.

Syntax

object-dir { client | server } *

undo object-dir

Default

The direction attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

client: Specifies the server to client direction.

server: Specifies the client to server direction.

Usage guidelines

Each IPS signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.

IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] object-dir client

override-current

Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

Use undo override-current to restore the default.

Syntax

override-current

undo override-current

Default

Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

Usage guidelines

Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.

Examples

# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] override-current

Related commands

ips signature auto-update

protect-target

Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.

Use undo protect-target to remove a target criterion.

Syntax

protect-target { target [ subtarget ] | all }

undo protect-target { target [ subtarget ] | all }

Default

The protected target attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

target: Specifies a target.

subtarget: Specifies a subtarget of the target. If you do not specify a subtarget, this command matches any IPS signatures with a subtarget of the specified target.

all: Specifies all targets.

Usage guidelines

This command filters the IPS signatures that an IPS policy uses based on the protected target attribute of the signatures.

You can execute this command multiple times to specify multiple target criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured target criteria.

Examples

# Configure IPS policy test to use IPS signatures with the WebLogic subtarget of the WebServer target.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] protect-target WebServer WebLogic

severity-level

Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

The severity level attribute is not used for IPS signature filtering.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Usage guidelines

Each IPS signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.

This command filters the IPS signatures that an IPS policy uses based on the severity level attribute of the signatures.

You can specify multiple severity levels in a severity level criterion. The IPS policy uses an IPS signature if the signature matches any of the specified severity levels.

If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Configure IPS policy test to use IPS signatures with the critical and medium severity levels.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] severity-level critical medium

signature override

Use signature override to change the status and actions for an IPS signature in an IPS policy.

Use undo signature override to restore the default status and actions for an IPS signature in an IPS policy.

Syntax

signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }

undo signature override { pre-defined | user-defined } signature-id

Default

Predefined IPS signatures use the actions and states defined by the system.

User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

pre-defined: Specifies a predefined IPS signature.

user-defined: Specifies a user-defined IPS signature.

signature-id: Specifies an IPS signature ID in the range of 1 to 536870911.

disable: Disables the IPS signature.

enable: Enables the IPS signature.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

This command is available only for user-defined IPS policies. The signature actions and status in the default IPS policy cannot be modified.

If you execute this command for a signature in an IPS policy multiple times, the most recent configuration takes effect.

Examples

# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.

<Sysname> system-view

[Sysname] ips policy ips1

[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging

Related commands

blacklist global enable (Security Command Reference)

ips parameter-profile

ips policy

signature override all

signature override all

Use signature override all to specify the IPS actions for an IPS policy.

Use undo signature override all to restore the default.

Syntax

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

undo signature override all

Default

No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.

Views

IPS policy view

Predefined user roles

network-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

Use this command to specify the global packet processing actions for an IPS policy.

Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.

The system selects the actions for packets matching an IPS signature in the following order:

1.     Actions configured for the IPS signature in the IPS policy (by using the signature override command).

2.     Actions configured for the IPS policy.

3.     Default actions of the IPS signature.

Examples

# Specify actions drop, logging, and capture for IPS policy test.

<Sysname> system-view

[Sysname] ips policy test

[Sysname-ips-policy-test] signature override all drop logging capture

Related commands

blacklist global enable (Security Command Reference)

ips parameter-profile

signature override

update schedule

Use update schedule to schedule the time for automatic IPS signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts updating the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic IPS signature library update configuration view

Predefined user roles

network-admin

Parameters

daily: Updates the IPS signature library every day.

weekly: Updates the IPS signature library every week.

fri: Updates the IPS signature library every Friday.

mon: Updates the IPS signature library every Monday.

sat: Updates the IPS signature library every Saturday.

sun: Updates the IPS signature library every Sunday.

thu: Updates the IPS signature library every Thursday.

tue: Updates the IPS signature library every Tuesday.

wed: Updates the IPS signature library every Wednesday.

start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

·     Start time minus half the tolerance time.

·     Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] ips signature auto-update

[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10

Related commands

ips signature auto-update