Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-IPS commands | 151.97 KB |
display ips signature { pre-defined | user-defined }
display ips signature information
display ips signature user-defined parse-failed
IPS commands
action
Use action to configure the action criterion for IPS signature filtering in an IPS policy.
Use undo action to restore the default.
Syntax
action { block-source | drop | permit | reset } *
undo action
Default
The action attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Specifies the block source action.
drop: Specifies the drop action.
permit: Specifies the permit action.
reset: Specifies the reset action.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the actions associated with the signatures.
You can specify multiple actions in an action criterion. The IPS policy uses an IPS signature if the signature is associated with any of the specified actions.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures associated with the drop or reset action.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] action drop reset
attack-category
Use attack-category to specify an attack category criterion to filter IPS signatures in an IPS policy.
Use undo attack-category to delete an attack category criterion.
Syntax
attack-category { category [ subcategory ] | all }
undo attack-category { category [ subcategory | all] }
Default
The attack category attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
category-name: Specifies an attack category.
subcategory: Specifies a subcategory of the attack category. If you do not specify a subcategory, this command matches any IPS signature with a subcategory of the specified attack category.
all: Specifies all attack categories.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the attack category attribute of the signatures.
You can execute this command multiple times to specify multiple attack category criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured attack category criteria.
Examples
# Configure IPS policy test to use IPS signatures with the SQLInjection attack subcategory of the Vulnerability attack category.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] attack-category Vulnerability SQLInjection
display ips policy
Use display ips policy to display IPS policy information.
Syntax
display ips policy policy-name
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Display information about IPS policy aa.
<Sysname> display ips policy aa
Total signatures :10929 failed:0
Pre-defined signatures:10925 failed:0
User-defined signatures:4 failed:0
Flag:
B: Block-Source D: Drop P: Permit Rs: Reset Rd: Redirect C: Capture L: L
ogging
Pre: predefined User: user-defined
Type RuleID Target SubTarget Severity Direction Category
SubCategory Status Action
Pre 1 OperationSystem LinuxUnix High Server Vulnerability
RemoteCodeExecu Enable RsL
Pre 2 OperationSystem LinuxUnix High Server Vulnerability
MemoryCorruptio Enable RsL
Pre 4 OfficeSoftware MicrosoftOffice High Any Vulnerability
Overflow Enable RsL
Pre 5 OfficeSoftware MicrosoftOffice High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 6 Browser InternetExplore High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 7 Browser InternetExplore High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 8 ApplicationSoft MediaPlayer High Any Vulnerability
RemoteCodeExecu Enable RsL
Pre 9 ApplicationSoft Security High Server Vulnerability
Overflow Enable DL
Pre 10 Browser InternetExplore High Server Vulnerability
InsecureLibrary Enable RsL
Pre 11 Browser InternetExplore High Any InformationDis
c SensitiveInfo Enable RsL
Pre 12 OfficeSoftware MicrosoftOffice Critical Any Vulnerability
RemoteCodeExecu Enable RsL
Pre 13 OfficeSoftware MicrosoftOffice High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 14 ApplicationSoft IM High Server Vulnerability
InsecureLibrary Enable RsL
Pre 15 Browser InternetExplore High Any Vulnerability
RemoteCodeExecu Enable RsL
…
Table 1 Command output
|
Field |
Description |
|
Total signatures |
Total number of IPS signatures. |
|
Pre-defined signatures |
Total number of predefined IPS signatures. |
|
User-defined signatures |
Total number of user-defined signatures. |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
|
RuleID |
Signature ID. |
|
Target |
Attacked target |
|
SubTarget |
Attacked subtarget. |
|
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
|
Direction |
Traffic direction to which the IPS signature applies: · Any—Both server to client and client to server directions. · Client—Server to client direction. · Server— Client to server direction. |
|
Category |
Attack category of the signature. |
|
Subcategory |
Attack subcategory of the signature. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Redirect—Redirects matching packets to a webpage. · Capture—Captures matching packets. · Logging—Logs matching packets. |
Related commands
ips policy
display ips signature
Use display ips signature to display IPS signature information.
Syntax
display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pre-defined: Specifies predefined IPS signatures.
user-defined: Specifies user-defined IPS signatures.
direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.
· to-server: Specifies the client to server direction of a session.
· to-client: Specifies the server to client direction of a session.
· any: Specifies both directions of a session.
category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays IPS signatures for all attack categories.
fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.
· low: Specifies the low fidelity.
· medium: Specifies the medium fidelity.
· high: Specifies the high fidelity.
protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.
severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.
· low: Specifies the low severity level.
· medium: Specifies the medium severity level.
· high: Specifies the high severity level.
· critical: Specifies the critical severity level.
Usage guidelines
If you do not specify any options, this command displays all IPS signatures.
Examples
# Display predefined IPS signatures of the medium fidelity level for TCP.
<Sysname> display ips signature pre-defined protocol tcp fidelity medium
Pre-defined signatures:465 failed:0
Flag:
Pre: predefined User: user-defined
Type Sig-ID Direction Severity Fidelity Category Protocol
Pre 1 To-server High Medium Vulnerability TCP
Pre 2 To-server High Medium Vulnerability TCP
Pre 3 To-client High Medium Vulnerability TCP
Pre 4 To-client High Medium Vulnerability TCP
Pre 5 To-client High Medium Vulnerability TCP
Pre 6 To-client High Medium Vulnerability TCP
Pre 7 To-client High Medium Vulnerability TCP
Pre 8 To-client High Medium Vulnerability TCP
Pre 10 To-server High Medium Vulnerability TCP
Pre 11 To-client High Medium Vulnerability TCP
Pre 12 To-client Critical Medium Vulnerability TCP
Pre 13 To-client High Medium Vulnerability TCP
Pre 14 To-server High Medium Vulnerability TCP
Pre 15 To-client High Medium Vulnerability TCP
Pre 16 To-client Critical Medium Vulnerability TCP
Pre 17 To-client High Medium Vulnerability TCP
Pre 18 To-client High Medium Vulnerability TCP
…
# Display IPS signatures of the high attack severity level for UDP.
<Sysname> display ips signature severity high protocol udp
Total signatures :7 failed:0
Pre-defined signatures:7 failed:0
User-defined signatures:0 failed:0
Flag:
Pre: predefined User: user-defined
Type Sig-ID Direction Severity Fidelity Category Protocol
Pre 9 To-server High Medium Vulnerability UDP
Pre 45 To-server High Medium Vulnerability UDP
Pre 187 Any High Medium Vulnerability UDP
Pre 196 Any High Medium Vulnerability UDP
Pre 223 To-server High Medium Vulnerability UDP
Pre 234 To-client High Medium Vulnerability UDP
Pre 338 To-client High Medium Vulnerability UDP
…
Table 2 Command output
|
Field |
Description |
|
Total signatures |
Total number of IPS signatures. |
|
failed |
Total number of IPS signatures that failed to be imported and loaded during signature update. |
|
Pre-defined count |
Total number of predefined IPS signatures. |
|
User-defined count |
Total number of user-defined signatures. |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
|
Sig-ID |
Signature ID. |
|
Direction |
Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
|
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Category |
Attack category of the signature. |
|
Protocol |
Protocol attribute of the signature. |
display ips signature { pre-defined | user-defined }
Use display ips signature { pre-defined | user-defined } to display detailed information about an IPS signature.
Syntax
display ips signature { pre-defined | user-defined } signature-id
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pre-defined: Specifies a predefined signature.
user-defined: Specifies a user-defined signature.
signature-id: Specifies the signature ID. The value range is 1 to 4294967295.
Examples
# Display detailed information about predefined IPS signature 1.
<Sysname> display ips signature pre-defined 1
Type : Pre-defined
Signature ID: 1
Status : Enabled
Action : Reset & Logging
Name : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability
Protocol : TCP
Severity : High
Fidelity : Medium
Direction : To-server
Category : Vulnerability
Reference : CVE-2014-6271;
Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Table 3 Command output
|
Field |
Description |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
|
Signature ID |
Signature ID. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets. |
|
Name |
Name of the IPS signature. |
|
Protocol |
Protocol attribute of the signature. |
|
Severity |
Attack severity, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Direction |
Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
|
Category |
Attack category of the signature. |
|
Reference |
Reference for the signature. |
|
Description |
Description for the signature. |
display ips signature information
Use display ips signature information to display IPS signature library information.
Syntax
display ips signature information
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IPS signature library information.
<Sysname> display ips signature information
IPS signature library information:
Type SigVersion ReleaseTime Size
Current 1.02 Fri Sep 13 09:05:35 2014 71594
Last - - -
Factory 1.00 Fri Sep 11 09:05:35 2014 71394
Table 4 Command output
|
Field |
Description |
|
Type |
Version type of the IPS signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
|
SigVersion |
Version number of the IPS signature library. |
|
ReleaseTime |
Release time of the IPS signature library. |
|
Size |
Size of the IPS signature file in bytes. |
display ips signature user-defined parse-failed
Use display ips signature user-defined parse-failed to display information about the user-defined IPS signatures that failed to be parsed during signature import.
Syntax
display ips signature user-defined parse-failed
Views
Any view
Predefined user roles
network-admin
Examples
# Display information about the user-defined IPS signatures that failed to be imported
<Sysname> display ips signature user-defined parse-failed
LineNo SID Information
1 None Error: Invalid actions.
Tip: Only actions {alert|drop|pass|reject|sdrop|log} are supported
2 1010082 Error: Invalid signature ID.
Tip: The signature ID must be in the range of 1 to 536870912
3 1010083 Error: Invalid protocol.
Tip: Only protocols {tcp|udp|icmp|ip} are supported
4 1010084 Error: Invalid direction.
Tip: Only directions {'<>'|'->'} are supported
Table 5 Command output
|
Field |
Description |
|
LineNo |
Line number where the signature is located in the Snort file. |
|
SID |
Signature ID. |
|
Information |
Signature information: · Error—Reason for the parse failure. · Tip—Tip for editing the signature rule in the file. |
Related commands
ips signature import snort
ips apply policy
Use ips apply policy to apply an IPS policy to a DPI application profile.
Use undo ips apply policy to remove the application.
Syntax
ips apply policy policy-name mode { alert | protect }
undo ips apply policy
Default
No IPS policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an IPS policy mode.
alert: Only captures or logs matching packets.
protect: Takes all actions specified for signatures to process matching packets
Usage guidelines
An IPS policy takes effect only after it is applied to a DPI application profile.
You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.
<Sysname> system-view
[Sysname] app-profile sec
[Sysname-app-profile-sec] ips apply policy ips1 mode protect
Related commands
app-profile
ips policy
ips parameter-profile
Use ips parameter-profile to specify a parameter profile for an IPS action.
Use undo ips parameter-profile to remove the parameter profile from an IPS action.
Syntax
ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name
undo ips { block-source | capture | email | logging | redirect } parameter-profile
Default
No parameter profile is specified for an IPS action.
Views
System view
Predefined user roles
network-admin
Parameters
block-source: Specifies a parameter profile for the block-source action.
capture: Specifies a parameter profile for the capture action.
email: Specifies a parameter profile for the email action.
logging: Specifies a parameter profile for the logging action.
redirect: Specifies a parameter profile for the redirect action.
parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Use this command to specify the parameter profile used by an IPS action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.
For information about configuring parameter profiles, see DPI Configuration Guide.
Examples
# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile ips1
[Sysname-inspect-block-source-ips1] block-period 1111
[Sysname-inspect-block-source-ips1] quit
# Specify the parameter profile ips1 for the block-source action.
[Sysname] ips block-source parameter-profile ips1
Related commands
inspect block-source parameter-profile
inspect capture parameter-profile
inspect logging parameter-profile
inspect email parameter-profile
inspect redirect parameter-profile
ips policy
Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.
Use undo ips policy to delete an IPS policy.
Syntax
ips policy policy-name
undo ips policy policy-name
Default
An IPS policy named default exists.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.
You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.
Examples
# Create IPS policy ips1 and enter its view.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1]
ips signature auto-update
Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
Use undo ips signature auto-update to disable automatic IPS signature library update.
Syntax
ips signature auto-update
undo ips signature auto-update
Default
Automatic IPS signature library update is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.
Examples
# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate]
Related commands
update schedule
ips signature auto-update-now
Use ips signature auto-update-now to trigger an automatic signature library update manually.
Syntax
ips signature auto-update-now
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Trigger an automatic signature library update manually.
<Sysname> system-view
[Sysname] ips signature auto-update-now
ips signature import snort
Use ips signature import snort to import user-defined IPS signatures.
Syntax
ips signature import snort file-path
Default
No user-defined IPS signatures exist.
Views
System view
Predefined user roles
network-admin
Parameters
file-path: Specifies the path of the file where the IPS signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.
Usage guidelines
To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.
Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.
To view the imported IPS signatures, use the display ips signature user-defined command.
The following methods are available for IPS signature import:
· Local method—Imports IPS signatures from a local IPS signature file.
The following describes the format of the file-path parameter for different import scenarios.
|
Import scenario |
Format of file-path |
Remarks |
|
The import file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The import file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature import snort command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The import file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature import snort command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP method—Imports IPS signatures from an IPS signature file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different import scenarios.
|
Import scenario |
Format of file-path |
Remarks |
|
The import file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The import file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:
· Use the correct syntax for the rule.
· Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.
· The SID of the rule must be different from the SIDs of any existing Snort rules on the device.
· Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.
· Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.
Examples
# Import IPS signatures from an IPS signature file that is stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules
Related commands
display ips signature user-defined
ips signature remove snort
ips signature remove snort
Use ips signature remove snort to delete all imported user-defined IPS signatures.
Syntax
ips signature remove snort
Views
System view
Predefined user roles
network-admin
Examples
# Delete all imported user-defined IPS signatures.
<Sysname> system-view
[Sysname] ips signature remove snort
Related commands
ips signature import snort
ips signature rollback
Use ips signature rollback to roll back the IPS signature library.
Syntax
ips signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
Parameters
factory: Rolls back the IPS signature library to the factory default version.
last: Rolls back the IPS signature library to the previous version.
Usage guidelines
If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.
Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the IPS signature library to the previous version.
<Sysname> system-view
[Sysname] ips signature rollback last
ips signature update
Use ips signature update to manually update the IPS signature library.
Syntax
ips signature update [ override-current ] file-path
Views
System view
Predefined user roles
network-admin
Parameters
override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.
file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.
Usage guidelines
If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:
· Local update—Updates the IPS signature library by using a locally stored update IPS signature file.
(In IRF mode.) Store the update file on the master device for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the IPS signature library by using the file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
Examples
# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] ips signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] ips signature update dpi/ips-1.0.23-en.dat
ips signature update-log
Use ips signature update-log send-time to enable logging for IPS signature library update and rollback events and daily output of the logs at the specified time.
Use undo ips signature update-log send-time to disable logging for IPS signature library update and rollback events.
Syntax
ips signature update-log send-time time
undo ips signature update-log send-time
Default
Logging for IPS signature library update and rollback events is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the daily log output time, in the format of hh:mm:ss. The value range is 00:00:00 to 23:59:59.
Usage guidelines
This command enables the device to log successful IPS signature library update and rollback events and to output the logs at the specified time.
The device supports outputting IPS signature library update and rollback logs only as fast logs to log hosts. For the IPS logs to be output correctly, make sure the following requirements are met:
· Fast log output of IPS logs in SGCC format are enabled by using the customlog format dpi ips sgcc command.
· The log hosts where the IPS logs should be sent are configured by using the customlog host command.
For more information about the preceding commands, see fast log output commands in Network Management and Monitoring Command Reference.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable logging for IPS signature library update and rollback events and set the daily output time to 12:12:12.
<Sysname> system-view
[Sysname] ips signature update-log send-time 12:12:12
object-dir
Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.
Use undo object-dir to restore the default.
Syntax
object-dir { client | server } *
undo object-dir
Default
The direction attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
client: Specifies the server to client direction.
server: Specifies the client to server direction.
Usage guidelines
Each IPS signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.
IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.
[Sysname] ips policy test
[Sysname-ips-policy-test] object-dir client
override-current
Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
Use undo override-current to restore the default.
Syntax
override-current
undo override-current
Default
Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Usage guidelines
Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.
Examples
# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] override-current
Related commands
ips signature auto-update
protect-target
Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.
Use undo protect-target to remove a target criterion.
Syntax
protect-target { target [ subtarget ] | all }
undo protect-target { target [ subtarget ] | all }
Default
The protected target attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
target: Specifies a target.
subtarget: Specifies a subtarget of the target. If you do not specify a subtarget, this command matches any IPS signatures with a subtarget of the specified target.
all: Specifies all targets.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the protected target attribute of the signatures.
You can execute this command multiple times to specify multiple target criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured target criteria.
Examples
# Configure IPS policy test to use IPS signatures with the WebLogic subtarget of the WebServer target.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] protect-target WebServer WebLogic
severity-level
Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.
Use undo severity-level to restore the default.
Syntax
severity-level { critical | high | low | medium } *
undo severity-level
Default
The severity level attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
Each IPS signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.
This command filters the IPS signatures that an IPS policy uses based on the severity level attribute of the signatures.
You can specify multiple severity levels in a severity level criterion. The IPS policy uses an IPS signature if the signature matches any of the specified severity levels.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the critical and medium severity levels.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] severity-level critical medium
signature override
Use signature override to change the status and actions for an IPS signature in an IPS policy.
Use undo signature override to restore the default status and actions for an IPS signature in an IPS policy.
Syntax
signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }
undo signature override { pre-defined | user-defined } signature-id
Default
Predefined IPS signatures use the actions and states defined by the system.
User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
pre-defined: Specifies a predefined IPS signature.
user-defined: Specifies a user-defined IPS signature.
signature-id: Specifies an IPS signature ID in the range of 1 to 536870911.
disable: Disables the IPS signature.
enable: Enables the IPS signature.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
This command is available only for user-defined IPS policies. The signature actions and status in the default IPS policy cannot be modified.
If you execute this command for a signature in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging
Related commands
blacklist global enable (Security Command Reference)
ips parameter-profile
ips policy
signature override all
signature override all
Use signature override all to specify the IPS actions for an IPS policy.
Use undo signature override all to restore the default.
Syntax
signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *
undo signature override all
Default
No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
Use this command to specify the global packet processing actions for an IPS policy.
Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.
The system selects the actions for packets matching an IPS signature in the following order:
1. Actions configured for the IPS signature in the IPS policy (by using the signature override command).
2. Actions configured for the IPS policy.
3. Default actions of the IPS signature.
Examples
# Specify actions drop, logging, and capture for IPS policy test.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] signature override all drop logging capture
Related commands
blacklist global enable (Security Command Reference)
ips parameter-profile
signature override
update schedule
Use update schedule to schedule the time for automatic IPS signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Parameters
daily: Updates the IPS signature library every day.
weekly: Updates the IPS signature library every week.
fri: Updates the IPS signature library every Friday.
mon: Updates the IPS signature library every Monday.
sat: Updates the IPS signature library every Saturday.
sun: Updates the IPS signature library every Sunday.
thu: Updates the IPS signature library every Thursday.
tue: Updates the IPS signature library every Tuesday.
wed: Updates the IPS signature library every Wednesday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
ips signature auto-update
