Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-IPS commands | 265.56 KB |
description (IPS whitelist entry view)
description (user-defined IPS signature view)
display ips signature pre-defined
display ips signature user-defined
display ips signature user-defined parse-failed
severity-level (IPS policy view)
severity-level (IPS signature view)
source-address (IPS whitelist entry view)
source-address (user-defined IPS signature rule view)
statistics signature-hit enable
IPS commands
action (IPS policy view)
Use action to configure the action criterion for IPS signature filtering in an IPS policy.
Use undo action to restore the default.
Syntax
action { block-source | drop | permit | reset } *
undo action
Default
The action attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Specifies the block source action.
drop: Specifies the drop action.
permit: Specifies the permit action.
reset: Specifies the reset action.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the actions associated with the signatures.
You can specify multiple actions in an action criterion. The IPS policy uses an IPS signature if the signature is associated with any of the specified actions.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures associated with the drop or reset action.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] action drop reset
action (IPS signature view)
Use action to configure the actions for a user-defined IPS signature.
Use undo action to restore the default.
Syntax
action { block-source | drop | permit | reset } [ capture | logging ] *
undo action
Default
The action for the user-defined IPS signature is permit.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
block-source: Specifies the block source action.
drop: Specifies the drop action.
permit: Specifies the permit action.
reset: Specifies the reset action.
logging: Specifies the logging action.
capture: Specifies the capture action.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the drop action for user-defined IPS signature mysignature.
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] action drop
attack-category
Use attack-category to specify an attack category criterion to filter IPS signatures in an IPS policy.
Use undo attack-category to delete an attack category criterion.
Syntax
attack-category { category [ subcategory ] | all }
undo attack-category { category [ subcategory | all] }
Default
The attack category attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
category-name: Specifies an attack category.
subcategory: Specifies a subcategory of the attack category. If you do not specify a subcategory, this command matches any IPS signature with a subcategory of the specified attack category.
all: Specifies all attack categories.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the attack category attribute of the signatures.
You can execute this command multiple times to specify multiple attack category criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured attack category criteria.
Examples
# Configure IPS policy test to use IPS signatures with the SQLInjection attack subcategory of the Vulnerability attack category.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] attack-category Vulnerability SQLInjection
description (IPS whitelist entry view)
Use description to configure the description for an IPS whitelist entry.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An IPS whitelist entry does not have any description.
Views
IPS whitelist entry view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-insensitive string of 1 to 127 characters. The description can contain spaces.
Usage guidelines
A description allows easy identification of an IPS whitelist entry.
Examples
# Specify the description as News information for IPS whitelist entry 1.
<Sysname> system-view
[Sysname] ips whitelist 1
[Sysname-ips-whitelist-1] description News information
description (user-defined IPS signature view)
Use description to configure the description for a user-defined IPS signature.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A user-defined IPS signature does not have any description.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
A description allows easy identification of a user-defined IPS signature.
Examples
# Specify the description as mydescription for user-defined IPS signature mysignature.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] description mydescription
destination-address
Use destination-address to specify a destination IP address filtering criterion in a user-defined signature rule.
Use undo destination-address to remove a destination IP address filtering criterion from a user-defined signature rule.
Syntax
destination-address ip ip-address
undo destination-address
Default
No destination IP address is specified as the filtering criterion in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv4 address. It is used to match the packet destination IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In rule 1 of user-defined IPS signature mysignature, specify the keyword type as the match pattern type and specify destination IP address 10.1.1.1 as a filtering criterion.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] destination-address ip 10.1.1.1
destination-port
Use destination-port to specify a destination port filtering criterion in a user-defined signature rule.
Use undo destination-port to restore the default.
Syntax
destination-port start-port [ to end-port]
undo destination-port
Default
No destination ports are specified as the filtering criteria in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
start-port: Specifies the start port number of a destination port range, in the range of 1 to 65535.
to end-port: Specifies the end port number of a destination port range, in the range of 1 to 65535. If you do not specify this option, only the start port number is specified.
Usage guidelines
The port numbers are used to match the destination port numbers of the specified transport layer protocol.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In rule 1 of user-defined IPS signature mysignature, specify the keyword type as the match pattern type and specify the destination port range as 1 to 3550.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] destination-port 1 to 3550
detection-integer
Use detection-integer to configure an integer detection item in a user-defined signature rule.
Use undo detection-integer to remove an integer detection item from a user-defined signature rule.
Syntax
detection-integer field field-name match-type { eq | gt | gt-eq | lt | lt-eq | nequ } number
undo detection-integer
Default
No integer detection items are configured in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
field-name: Specifies a protocol field by its name, a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.
match-type { eq | gt | gt-eq | lt | lt-eq | nequ } number: Specifies a match operator in the detection item:
· eq: Matches numbers that are equal to the specified number.
· gt: Matches numbers that are greater than the specified number.
· gt-eq: Matches numbers that are greater than or equal to the specified number.
· lt: Matches numbers that are less than the specified number.
· lt-eq: Matches numbers that are less than or equal to the specified number.
· nequ: Matches numbers that are not equal to the specified number.
number: Specifies a number in the range of 1 to 4294967295.
Usage guidelines
A user-defined IPS signature rule can contain multiple detection items. A packet matches a rule only when the packet matches all detection items in the rule. The match order of the detection items is their configuration order. To avoid detection errors, configure the detection items based on the sequence of the protocol fields in the HTTP protocol.
Examples
# In user-defined IPS signature mysignature, create rule 1 for TCP and HTTP protocols and specify the integer match pattern type. Create a detection item in the rule to match packets whose http-uri field value is 50.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type integer
[Sysname-ips-signature-mysignature-rule-1] detection 1 field http-uri match-type eq 50
detection-keyword
Use detection-keyword to configure a keyword detection item in a user-defined signature rule.
Use undo detection-keyword to remove a keyword detection item from a user-defined signature rule.
Syntax
detection-keyword detection-id field field-name match-type { exclude | include } { hex hex-string | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]
undo detection-keyword detection-id
Default
No keyword detection items are configured in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
detection-id: Specifies a detection item ID, in the range of 1 to 10.
field field-name: Specifies a protocol field by its name, in a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.
match-type { exclude | include }: Specifies a match operator in the detection item:
· include: Matches contents that include the specified string.
· exclude: Matches contents that do not include the specified string.
hex hex-string: Specifies a case-sensitive hexadecimal string of 8 to 254 characters. Valid characters contain integers, and letters of A to F and a to f. An even number of characters are required, and enclose the characters with two vertical bars (|), for example |1234f5b6|.
regex regex-pattern: Specifies a case-sensitive regular expression string of 3 to 255 characters. The string can only start with letters, digits, and underscores (_), and must contain 3 consecutive non-wildcard characters.
text text-string: Specifies a case-insensitive text string of 3 to 255 characters.
offset offset-value: Specifies an offset in bytes after which the match operation starts, in the range of 1 to 65535. The offset starts from the beginning of the protocol field. If you do not specify the offset-value argument, the match operation starts from the beginning of the protocol field.
depth depth-value: Specifies the number of bytes to match, in the range of 3 to 65535. If you do not specify depth-value argument, the detection item detects the whole protocol field.
relative-offset relative-offset-value: Specifies an offset in bytes after which the match operation starts, in the range of –32767 to –1 and 1 to 32767. The offset starts from the end of the previous detection item. If the offset value is positive, it offsets backward. If the offset value is negative, it offsets forward.
relative-depth relative-depth-value: Specifies the number of bytes to be matched, in the range of 3 to 65535.
Usage guidelines
This command is available only after the detection trigger condition is configured.
A user-defined IPS signature rule can contain multiple detection items. A packet matches a rule only when the packet matches all detection items in the rule. The match order of detection items is their configuration order.
The detection item only inspects the specified protocol field range. To define the start and end positions for the match operation, use either the offset and depth, or the relative offset and relative depth.
To avoid detection errors, configure detection items based on the sequence of protocol fields in the HTTP protocol.
Examples
# In user-defined IPS signature mysignature, create rule 1 for TCP and HTTP protocols and specify the keyword match pattern type. Create a detection item in the rule to match packets whose http-uri field inlcudes abc. Specify the offset and depth as 10 bytes and 50 bytes, respectively.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] detection-keyword 1 field http-uri match-type include text abc offset 10 depth 50
Related commands
trigger
direction
Use direction to specify the direction attribute in a user-defined signature.
Use undo direction to restore the default.
Syntax
direction { any | to-client | to-server }
undo direction
Default
The direction attribute of a user-defined IPS signature is any.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
any: Specifies both directions.
to-server: Specifies the client-to-server direction.
to-client: Specifies the server-to-client direction.
Usage guidelines
You cannot execute this command multiple times to change the direction attribute. To change the direction attribute, first execute undo direction. Use the undo command with caution because the undo command also deletes all rules in the signature.
Examples
# In user-defined IPS signature mysignature, specify the server-to-client direction.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] direction to-client
display ips policy
Use display ips policy to display IPS policy information.
Syntax
display ips policy policy-name
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Display information about IPS policy aa.
<Sysname> display ips policy aa
Total signatures :10929 failed:0
Pre-defined signatures:10925 failed:0
Snort signatures :0 failed:0
User-config signatures:0 failed:0
Flag:
B: Block-Source D: Drop P: Permit Rs: Reset Rd: Redirect C: Capture L: L
ogging
Pre: predefined Snort: Snort User: user-config
Type RuleID Target SubTarget Severity Direction Category
SubCategory Status Action
Pre 1 OperationSystem LinuxUnix High Server Vulnerability
RemoteCodeExecu Enable RsL
Pre 2 OperationSystem LinuxUnix High Server Vulnerability
MemoryCorruptio Enable RsL
Pre 4 OfficeSoftware MicrosoftOffice High Any Vulnerability
Overflow Enable RsL
Pre 5 OfficeSoftware MicrosoftOffice High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 6 Browser InternetExplore High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 7 Browser InternetExplore High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 8 ApplicationSoft MediaPlayer High Any Vulnerability
RemoteCodeExecu Enable RsL
Pre 9 ApplicationSoft Security High Server Vulnerability
Overflow Enable DL
Pre 10 Browser InternetExplore High Server Vulnerability
InsecureLibrary Enable RsL
Pre 11 Browser InternetExplore High Any InformationDis
c SensitiveInfo Enable RsL
Pre 12 OfficeSoftware MicrosoftOffice Critical Any Vulnerability
RemoteCodeExecu Enable RsL
Pre 13 OfficeSoftware MicrosoftOffice High Any Vulnerability
MemoryCorruptio Enable RsL
Pre 14 ApplicationSoft IM High Server Vulnerability
InsecureLibrary Enable RsL
Pre 15 Browser InternetExplore High Any Vulnerability
RemoteCodeExecu Enable RsL
---- More ----
Table 1 Command output
|
Field |
Description |
|
Total signatures |
Total number of IPS signatures. |
|
Pre-defined signatures |
Total number of predefined IPS signatures. |
|
User-config signatures |
Total number of user-configured signatures. |
|
Snort signatures |
Total number of Snort signatures. |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures that are manually configured. · Snort—Snort signatures that are imported from a Snort file. |
|
RuleID |
Signature ID. |
|
Target |
Attacked target. |
|
SubTarget |
Attacked subtarget. |
|
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
|
Direction |
Traffic direction to which the IPS signature applies: · Any—Both server to client and client to server directions. · Client—Server to client direction. · Server— Client to server direction. |
|
Category |
Attack category of the signature. |
|
Subcategory |
Attack subcategory of the signature. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Redirect—Redirects matching packets to a webpage. · Capture—Captures matching packets. · Logging—Logs matching packets. |
Related commands
ips policy
display ips signature
Use display ips signature to display brief IPS signature information.
Syntax
display ips signature [ pre-defined | user-defined { snort | user-config } ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pre-defined: Specifies predefined IPS signatures.
user-defined: Specifies user-defined IPS signatures.
snort: Specifies Snort signatures that are imported from a Snort file. These imported signatures are also user-defined signatures.
user-config: Specifies user-defined signatures that are manually configured.
direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.
· to-server: Specifies the client to server direction of a session.
· to-client: Specifies the server to client direction of a session.
· any: Specifies both directions of a session.
category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays IPS signatures for all attack categories.
fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.
· low: Specifies the low fidelity.
· medium: Specifies the medium fidelity.
· high: Specifies the high fidelity.
protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.
severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.
· low: Specifies the low severity level.
· medium: Specifies the medium severity level.
· high: Specifies the high severity level.
· critical: Specifies the critical severity level.
Usage guidelines
If you do not specify any options, this command displays all IPS signatures.
Examples
# Display predefined IPS signatures of the medium fidelity level for TCP.
<Sysname> display ips signature pre-defined protocol tcp fidelity medium
Pre-defined signatures:465 failed:0
Flag:
Pre: predefined User: user-config Snort: Snort
Type Sig-ID Direction Severity Fidelity Category Protocol Sig-Name
Pre 1 To-server High Medium Vulnerability TCP -
Pre 2 To-server High Medium Vulnerability TCP -
Pre 3 To-client High Medium Vulnerability TCP -
Pre 4 To-client High Medium Vulnerability TCP -
Pre 5 To-client High Medium Vulnerability TCP -
Pre 6 To-client High Medium Vulnerability TCP -
Pre 7 To-client High Medium Vulnerability TCP -
Pre 8 To-client High Medium Vulnerability TCP -
Pre 10 To-server High Medium Vulnerability TCP -
Pre 11 To-client High Medium Vulnerability TCP -
Pre 12 To-client Critical Medium Vulnerability TCP -
Pre 13 To-client High Medium Vulnerability TCP -
Pre 14 To-server High Medium Vulnerability TCP -
Pre 15 To-client High Medium Vulnerability TCP -
Pre 16 To-client Critical Medium Vulnerability TCP -
Pre 17 To-client High Medium Vulnerability TCP -
Pre 18 To-client High Medium Vulnerability TCP -
---- More ----
# Display IPS signatures of the high attack severity level for UDP.
<Sysname> display ips signature severity high protocol udp
Total signatures :7 failed:0
Pre-defined signatures total:7 failed:0
User-defined signatures total:0 failed:0
snort signatures total:1 failed:1
Flag:
Pre: predefined User: user-defined Snort: Snort
Type Sig-ID Direction Severity Fidelity Category Protocol Sig-Name
Pre 9 To-server High Medium Vulnerability UDP -
Pre 45 To-server High Medium Vulnerability UDP -
Pre 187 Any High Medium Vulnerability UDP -
Pre 196 Any High Medium Vulnerability UDP -
Pre 223 To-server High Medium Vulnerability UDP -
Pre 234 To-client High Medium Vulnerability UDP -
Pre 338 To-client High Medium Vulnerability UDP -
---- More ----
Table 2 Command output
|
Field |
Description |
|
Total signatures |
Total number of IPS signatures. |
|
failed |
Total number of IPS signatures that failed to be imported and loaded during signature update. |
|
Pre-defined signatures total |
Total number of predefined IPS signatures. |
|
User-defined signatures total |
Total number of user-configured signatures. |
|
Snort signatures total |
Total number of Snort signatures. |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures that are manually configured. · Snort—Snort signatures that are imported from a Snort file. |
|
Sig-ID |
Signature ID. |
|
Direction |
Direction attribute of the signature: · Any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
|
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Category |
Attack category of the signature. |
|
Protocol |
Protocol attribute of the signature. |
|
Sig-Name |
Name of the IPS signature. |
display ips signature pre-defined
Use display ips signature pre-defined to display detailed information about a predefined IPS signature.
Syntax
display ips signature pre-defined signature-id
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
signature-id: Specifies the signature ID. The value range is 1 to 536870911.
Examples
# Display detailed information about predefined IPS signature 1.
<Sysname> display ips signature pre-defined 1
Type : Pre-defined
Signature ID: 1
Status : Enabled
Action : Reset & Logging
Name : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability
Protocol : TCP
Severity : High
Fidelity : Medium
Direction : To-server
Category : Vulnerability
Reference : CVE-2014-6271;
Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Table 3 Command output
|
Field |
Description |
|
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
|
Signature ID |
Signature ID. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets. |
|
Name |
Name of the IPS signature. |
|
Protocol |
Protocol attribute of the signature. |
|
Severity |
Attack severity, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Direction |
Direction attribute of the signature: · Any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
|
Category |
Attack category of the signature. |
|
Reference |
Reference for the signature. |
|
Description |
Description for the signature. |
display ips signature library
Use display ips signature library to display IPS signature library information.
Syntax
display ips signature library
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IPS signature library information.
<Sysname> display ips signature library
IPS signature library information:
Type SigVersion ReleaseTime Size
Current 1.02 Fri Sep 13 09:05:35 2014 71594
Last - - -
Factory 1.00 Fri Sep 11 09:05:35 2014 71394
Table 4 Command output
|
Field |
Description |
|
Type |
Version type of the IPS signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
|
SigVersion |
Version number of the IPS signature library. |
|
ReleaseTime |
Release time of the IPS signature library. |
|
Size |
Size of the IPS signature file in bytes. |
display ips signature user-defined
Use display ips signature user-defined to display detailed information about a user-defined IPS signature.
Syntax
display ips signature user-defined { snort | user-config } signature-id
Views
Any view
Predefined user roles
network-admin
Parameters
snort: Specifies the Snort signatures.
user-config: Specifies the user-configured signatures.
signature-id: Specifies the signature ID. The value range for Snort signatures is 536870913 to 1073741823. The value range for user-configured signatures is 1073741840 to 1342177264.
Examples
# Display detailed information about Snort signature 536870914.
<Sysname> display ips signature user-defined snort 536870914
Type : Snort
Signature ID: 536870914
Status : Enabled
Action : drop
Name : Snort name
Protocol : TCP
Severity : High
Fidelity : Medium
Direction : To-server
Category : Vulnerability
Reference : CVE-2014-6271;
Description : Some description.
Table 5 Command output
|
Field |
Description |
|
Type |
Type of the user-defined IPS signature. Snort indicates that the signature is imported from a Snort file. |
|
Signature ID |
Signature ID. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets. |
|
Name |
Name of the IPS signature. |
|
Protocol |
Protocol attribute of the signature. |
|
Severity |
Attack severity, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Direction |
Direction attribute of the signature: · Any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
|
Category |
Attack category of the signature. |
|
Reference |
Reference for the signature. |
|
Description |
Description for the signature. |
# Display detailed information about user-configured IPS signature 1073741840.
<Sysname> display ips signature user-defined user-config 1073741840
Type: User-config
Signature ID: 1073741840
Signature name: lkx
Status: Enable
Action: Permit
Severity: Low
Fidelity: High
Direction: Any
Rulelogic: And
Total rule: 1
Rule ID: 1
L4-protocol: TCP
L5-protocol: HTTP
Match-type: keyword
Destination-address: 1.1.1.1
Destination-port: 50-60
Trigger entry:
Field: HTTP.Accept
Value: 12ljlj
Detection entry list:
Entry ID Field Match-type Content-type Content
1 HTTP.Accept exclude text ljljl
---- More --
Table 6 Command output
|
Field |
Description |
|
Type |
Type of the user-defined IPS signature. User-config indicates that the signature is configured manually. |
|
Signature ID |
Signature ID. |
|
Signature name |
Name of the IPS signature. |
|
Status |
Status of the IPS signature, Enabled or Disabled. |
|
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets. |
|
Severity |
Attack severity, Low, Medium, High, or Critical. |
|
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
|
Direction |
Direction attribute of the signature: · Any—Specifies both directions. · To-server—Specifies the client-to-server direction. · To-client—Specifies the server-to-client direction. |
|
Rulelogic |
Logical operator between rules in the IPS signature. |
|
Description |
Description for the signature. |
|
Total rule |
Total number of rules. |
|
Rule ID |
Rule ID. |
|
L4-protocol |
Transport layer protocol as a filtering criterion in the rule. |
|
L5-protocol |
Application layer protocol as a filtering criterion in the rule. |
|
Match type |
Signature match pattern type, Keyword or Integer. |
|
Source address |
Source address as a filtering criterion. |
|
Source port |
Source port as a filtering criterion. |
|
Destination address |
Destination address as a filtering criterion. |
|
Destination port |
Destination port as a filtering criterion. |
|
Trigger entry |
Detection trigger condition in the rule. |
|
Field |
Protocol field to inspect in the detection trigger condition. |
|
Value |
Contents to inspect in the detection trigger condition. |
|
Offset |
Offset after which the inspection starts. |
|
Depth |
Number of bytes to be inspected. |
|
Detection entry list |
Detection item list. |
|
Entry ID |
Detection item ID. |
|
Field |
Protocol field to inspect in the detection item. |
|
Match type |
Match operation in the detection item. |
|
Content-type |
Type of the match pattern: · hex—Specifies a hexadecimal string. · regex—Specifies a regular expression string. · text—Specifies a text string. |
|
Content |
Contents to inspect in the detection item. |
display ips signature user-defined parse-failed
Use display ips signature user-defined parse-failed to display information about the user-defined IPS signatures that failed to be parsed during signature import.
Syntax
display ips signature user-defined parse-failed
Views
Any view
Predefined user roles
network-admin
Examples
# Display information about the user-defined IPS signatures that failed to be imported
<Sysname> display ips signature user-defined parse-failed
LineNo SID Information
1 None Error: Invalid actions.
Tip: Only actions {alert|drop|pass|reject|sdrop|log} are supported
2 1010082 Error: Invalid signature ID.
Tip: The signature ID must be in the range of 1 to 536870912
3 1010083 Error: Invalid protocol.
Tip: Only protocols {tcp|udp|icmp|ip} are supported
4 1010084 Error: Invalid direction.
Tip: Only directions {'<>'|'->'} are supported
Table 7 Command output
|
Field |
Description |
|
LineNo |
Line number where the signature is located in the Snort file. |
|
SID |
Signature ID. |
|
Information |
Signature information: · Error—Reason for the parse failure. · Tip—Tip for editing the signature rule in the file. |
Related commands
ips signature import snort
email parameter-profile
Use email parameter-profile to specify a parameter profile for the email action.
Use undo email parameter-profile to remove the parameter profile from the email action.
Syntax
email parameter-profile parameter-profile-name
undo email parameter-profile
Default
No parameter profile is specified for the email action.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
parameter-profile-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command takes effect only after the global parameter profile is disabled by the undo global-parameter enable command.
This command is required after you use the log email command to specify the log output method as email. For information about configuring an email parameter profile, see "DPI engine commands."
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the parameter profile email1 for the email action in IPS policy policy1.
<Sysname> system-view
[Sysname] ips policy policy1
[Sysname-ips-policy-policy1] email parameter-profile email1
Related commands
log
global-parameter enable
global-parameter enable
Use global-parameter enable to enable the global parameter profiles.
Use undo global-parameter enable to disable the global parameter profiles.
Syntax
global-parameter enable
undo global-parameter enable
Default
The global parameter profiles are enabled.
Views
IPS policy view
Predefined user roles
network-admin
Usage guidelines
The block source, capture, and logging actions take effect only after a parameter profile is specified. You can specify a parameter profile for an IPS action as follows:
· Specify a global parameter profile in system view. The setting takes effect in all IPS policies.
· Specify a parameter profile in IPS policy view, which is a policy-specific setting. Only the email action supports a parameter profile in IPS policy view.
The global parameter profile for an IPS action takes precedence over a policy-specific parameter profile for the action.
To have a parameter profile for an IPS action in an IPS policy take effect, make sure the global parameter profile is disabled.
As a best practice, enable the global parameter profile after the global parameter profile configuration is completed.
Examples
# Enable the global parameter profiles in IPS policy policy1.
<Sysname> system-view
[Sysname] ips policy policy1
[Sysname-ips-policy-policy1] global-parameter enable
Related commands
email parameter-profile
ips parameter-profile
log
http-method
Use http-method to specify a request method filtering criterion in a user-defined signature rule.
Use undo http-method delete a request method filtering criterion from a user-defined signature rule.
Syntax
http-method method-name
undo http-method
Default
No request method filtering criterion is specified in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
method-name: Specifies the name of an HTTP request method, a case-insensitive string, such as GET and POST. To view the supported request methods, enter a question mark (?) after the http-method keyword.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In rule 1 of user-defined IPS signature mysignature, specify the keyword type as the match pattern type and specify the GET request method as a filtering criterion.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] http-method get
ips apply policy
Use ips apply policy to apply an IPS policy to a DPI application profile.
Use undo ips apply policy to remove the application.
Syntax
ips apply policy policy-name mode { alert | protect }
undo ips apply policy
Default
No IPS policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an IPS policy mode.
alert: Only captures or logs matching packets.
protect: Takes all actions specified for signatures to process matching packets
Usage guidelines
An IPS policy takes effect only after it is applied to a DPI application profile.
You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.
<Sysname> system-view
[Sysname] app-profile sec
[Sysname-app-profile-sec] ips apply policy ips1 mode protect
Related commands
app-profile
ips policy
ips capture-cache
Use ips capture-cache to specify the number of the captured packets to be cached for threat analysis.
Use undo ips capture-cache to restore the default.
Syntax
ips capture-cache number
undo ips capture-cache
Default
The number of the captured packets to be cached is not specified, and the device does not cache any captured packets.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the number of the captured packets to be cached, in the range of 1 to 10. If the value is set to 1, the device caches only the packet subsequent to the hit packet.
Usage guidelines
This command enables the device to cache the IPS captured packets.
The device caches the number of number-1 packets captured before the hit packet matching the IPS policy and the packet captured after the hit packet. When the packet after the hit packet is cached, the device writes all cached packets and the hit packet into the capture file.
Examples
# Allow the device to cache a maximum of five IPS captured packets.
<Sysname> system-view
[Sysname] ips capture-cache 5
Related commands
inspect capture parameter-profile
signature override
signature override
ips parameter-profile
Use ips parameter-profile to specify a parameter profile for an IPS action.
Use undo ips parameter-profile to remove the parameter profile from an IPS action.
Syntax
ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name
undo ips { block-source | capture | email | logging | redirect } parameter-profile
Default
No parameter profile is specified for an IPS action.
Views
System view
Predefined user roles
network-admin
Parameters
block-source: Specifies a parameter profile for the block-source action.
capture: Specifies a parameter profile for the capture action.
email: Specifies a parameter profile for the email action.
logging: Specifies a parameter profile for the logging action.
redirect: Specifies a parameter profile for the redirect action.
parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Use this command to specify the parameter profile used by an IPS action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.
For information about configuring parameter profiles, see DPI Configuration Guide.
Examples
# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile ips1
[Sysname-inspect-block-source-ips1] block-period 1111
[Sysname-inspect-block-source-ips1] quit
# Specify the parameter profile ips1 for the block-source action.
[Sysname] ips block-source parameter-profile ips1
Related commands
inspect block-source parameter-profile
inspect capture parameter-profile
inspect logging parameter-profile
inspect email parameter-profile
inspect redirect parameter-profile
ips policy
Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.
Use undo ips policy to delete an IPS policy.
Syntax
ips policy policy-name
undo ips policy policy-name
Default
An IPS policy named default exists.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.
You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.
Examples
# Create IPS policy ips1 and enter its view.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1]
ips signature auto-update
Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
Use undo ips signature auto-update to disable automatic IPS signature library update.
Syntax
ips signature auto-update
undo ips signature auto-update
Default
Automatic IPS signature library update is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.
Examples
# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate]
Related commands
update schedule
ips signature auto-update-now
Use ips signature auto-update-now to trigger an automatic signature library update manually.
Syntax
ips signature auto-update-now
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Trigger an automatic signature library update manually.
<Sysname> system-view
[Sysname] ips signature auto-update-now
ips signature import snort
Use ips signature import snort to import Snort signatures.
Syntax
ips signature import snort file-path
Default
No Snort signatures exist.
Views
System view
Predefined user roles
network-admin
Parameters
file-path: Specifies the path of the file where the Snort signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.
Usage guidelines
To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.
Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.
To view the imported IPS signatures, use the display ips signature user-defined command.
The following methods are available for Snort signature import:
· Local method—Imports Snort signatures from a local IPS signature file.
The following describes the format of the file-path parameter for different import scenarios.
|
Import scenario |
Format of file-path |
Remarks |
|
The import file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The import file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature import snort command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The import file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature import snort command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP method—Imports Snort signatures from an IPS signature file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different import scenarios.
|
Import scenario |
Format of file-path |
Remarks |
|
The import file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The import file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:
· Use the correct syntax for the rule.
· Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.
· The SID of the rule must be different from the SIDs of any existing Snort rules on the device.
· Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.
· Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.
Examples
# Import Snort signatures from an IPS signature file that is stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules
Related commands
display ips signature user-defined
ips signature remove snort
ips signature remove snort
Use ips signature remove snort to delete all imported Snort IPS signatures.
Syntax
ips signature remove snort
Views
System view
Predefined user roles
network-admin
Examples
# Delete all imported Snort IPS signatures.
<Sysname> system-view
[Sysname] ips signature remove snort
Related commands
ips signature import snort
ips signature rollback
Use ips signature rollback to roll back the IPS signature library.
Syntax
ips signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
Parameters
factory: Rolls back the IPS signature library to the factory default version.
last: Rolls back the IPS signature library to the previous version.
Usage guidelines
If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.
Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the IPS signature library to the previous version.
<Sysname> system-view
[Sysname] ips signature rollback last
ips signature update
Use ips signature update to manually update the IPS signature library.
Syntax
ips signature update [ override-current ] file-path [ vpn-instance vpn-instance-name ]
Views
System view
Predefined user roles
network-admin
Parameters
override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.
file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the TFTP or FTP server belongs by the instance's name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
Usage guidelines
If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:
· Local update—Updates the IPS signature library by using a locally stored update IPS signature file.
Store the update file on the active MPU for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the IPS signature library by using the file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
Examples
# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] ips signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] ips signature update dpi/ips-1.0.23-en.dat
ips signature update-log
Use ips signature update-log send-time to enable logging for IPS signature library update and rollback events and daily output of the logs at the specified time.
Use undo ips signature update-log send-time to disable logging for IPS signature library update and rollback events.
Syntax
ips signature update-log send-time time
undo ips signature update-log send-time
Default
Logging for IPS signature library update and rollback events is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the daily log output time, in the format of hh:mm. The value range is 00:00 to 23:59.
Usage guidelines
This command enables the device to log successful IPS signature library update and rollback events and to output the logs at the specified time.
The device supports outputting IPS signature library update and rollback logs only as fast logs to log hosts. For the IPS logs to be output correctly, make sure the following requirements are met:
· Fast log output of IPS logs in SGCC format are enabled by using the customlog format dpi ips sgcc command.
· The log hosts where the IPS logs should be sent are configured by using the customlog host command.
For more information about the preceding commands, see fast log output commands in Network Management and Monitoring Command Reference.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable logging for IPS signature library update and rollback events and set the daily output time to 12:12.
<Sysname> system-view
[Sysname] ips signature update-log send-time 12:12
ips signature user-defined
Use ips signature user-defined create a user-defined IPS signature and enter its view, or enter the view of an existing user-defined IPS signature.
Use undo ips signature user-defined to delete user-defined IPS signatures.
Syntax
ips signature user-defined name signature-name
undo ips signature user-defined { all | name signature-name }
Default
No user-defined IPS signatures exist.
Views
System view
Predefined user roles
network-admin
Parameters
signature-name: Specifies the IPS signature name, a case-insensitive string of 1 to 63 characters.
all: Deletes all user-defined signatures that are manually configured.
Usage guidelines
Repeat this command to create multiple user-defined IPS signatures, which are user-configured signatures and different from Snort signatures imported from an IPS signature file in the Snort format.
When you delete a user-configured signature, all the configurations for the signature will also be deleted.
Examples
# Create user-defined IPS signature mysignature and enter its view.
<Sysname> system-view
[Sysname] waf policy test-policy
[Sysname-waf-policy-test-policy]
Related commands
display ips signature user-defined user-config
ips whitelist
Use ips whitelist to create an IPS whitelist entry and enter its view, or enter the view of an existing IPS whitelist entry.
Use undo ips whitelist to delete an IPS whitelist entry.
Syntax
ips whitelist entry-id
undo ips whitelist entry-id
Views
System view
Predefined user roles
network-admin
Parameters
entry-id: Specifies the IPS whitelist entry ID, in the range of 1 to 256.
Usage guidelines
If false alarms exist in IPS logs, you can enable the IPS whitelist feature, and add the detected IPS signature IDs or URLs to the IPS whitelist. The device permits packets matching the IPS signatures or URLs on the IPS whitelist to pass through, reducing false alarms.
Examples
# Create IPS whitelist entry 1 and enter its view.
<Sysname> system-view
[Sysname] ips whitelist 1
[Sysname-ips-whitelist-1]
Related commands
ips whitelist activate
ips whitelist activate
Use ips whitelist activate to activate the IPS whitelist configuration.
Syntax
ips whitelist activate
Default
The creation and editing of an IPS whitelist entry does not take effect immediately if the entry contains a URL.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you create or edit an IPS whitelist entry that contains a URL, you must execute this command to have the configuration take effect.
Examples
# Activate the IPS whitelist configuration.
<Sysname> system-view
[Sysname] ips whitelist activate
Related commands
url
ips whitelist enable
Use ips whitelist enable to enable the IPS whitelist feature.
Use undo ips whitelist enable to disable the IPS whitelist feature.
Syntax
ips whitelist enable
undo ips whitelist enable
Default
The IPS whitelist feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If false alarms exist in IPS logs, you can enable the IPS whitelist feature, and add the detected IPS signature IDs or URLs to the IPS whitelist. The device permits packets matching the IPS signatures or URLs on the IPS whitelist to pass through, reducing false alarms.
Examples
# Enable the IPS whitelist feature.
<Sysname> system-view
[Sysname] ips whitelist enable
log
Use log to specify the log output method.
Use undo log to restore the default.
Syntax
log { email | syslog }
undo log { email | syslog }
Default
The IPS log output method is syslog.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
email: Emails the IPS logs to an email receiver.
syslog: Exports the IPS logs to the information center.
Usage guidelines
This command takes effect only after the global parameter profiles are disabled by the undo global-parameter enable command.
If you specify the email log output method, you can specify a parameter profile used by the email action.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the log output method as email in IPS policy policy1.
<Sysname> system-view
[Sysname] ips policy policy1
[Sysname-ips-policy-policy1] log email
Related commands
email parameter-profile
global-parameter enable
object-dir
Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.
Use undo object-dir to restore the default.
Syntax
object-dir { client | server } *
undo object-dir
Default
The direction attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
client: Specifies the server to client direction.
server: Specifies the client to server direction.
Usage guidelines
Each IPS signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.
IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.
[Sysname] ips policy test
[Sysname-ips-policy-test] object-dir client
override-current
Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
Use undo override-current to restore the default.
Syntax
override-current
undo override-current
Default
Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Usage guidelines
Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.
Examples
# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] override-current
Related commands
ips signature auto-update
protect-target
Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.
Use undo protect-target to remove a target criterion.
Syntax
protect-target { target [ subtarget ] | all }
undo protect-target { target [ subtarget ] | all }
Default
The protected target attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
target: Specifies a target.
subtarget: Specifies a subtarget of the target. If you do not specify a subtarget, this command matches any IPS signatures with a subtarget of the specified target.
all: Specifies all targets.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the protected target attribute of the signatures.
You can execute this command multiple times to specify multiple target criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured target criteria.
Examples
# Configure IPS policy test to use IPS signatures with the WebLogic subtarget of the WebServer target.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] protect-target WebServer WebLogic
rule
Use rule to create a user-defined IPS signature rule and enter its view, or enter the view of an existing user-defined IPS signature rule.
Use undo rule to delete user-defined IPS signature rules.
Syntax
rule rule-id l4-protocol l4-protocol-name l5-protocol l5-protocol-name pattern-type { keyword | integer }
undo rule { rule-id | all }
Default
No user-defined IPS signature rules exist.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
rule-id: Specifies the rule ID, in the range of 1 to 8.
l4-protocol l4-protocol-name: Specifies the transport layer protocol by its name. To view the names of supported protocols, enter a question mark (?) after the l4-protocol keyword.
l5-protocol l5-protocol-name: Specifies the application layer protocol by its name. To view the names of supported protocols, enter a question mark (?) after the l5-protocol keyword.
pattern-type: Specifies the match pattern type for the rule.
keyword: Specifies the keyword type.
integer: Specifies the integer type.
all: Deletes all user-defined IPS signature rules.
Usage guidelines
You can configure multiple rules in a user-defined signature. To configure the logical operator between rules, use the rule-logic command.
You cannot execute this command multiple times to change any configurations of a rule. If you want to modify the rule configuration, use the undo rule command to delete the rule first.
Examples
# Create user-defined IPS signature rule 1 and enter its view. Set the rule to match TCP and HTTP packets, and specify the keyword match pattern type.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1]
rule-logic
Use rule-logic to define the logical operator between the rules in a user-defined IPS signature.
Use undo rule-logic to restore the default.
Syntax
rule-logic { and | or }
undo rule-logic
Default
The logical operator between the rules in a user-defined IPS signature is or.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
and: Specifies the logical AND operator.
or: Specifies the logical OR operator.
Usage guidelines
If the logical AND operator is specified between rules in a user-defined signature, a packet matches the signature only when the packet matches all rules in the signature.
If the logical OR operator is specified between rules in a user-defined signature, a packet matches the signature when the packet matches any rule in the signature.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In user-defined IPS signature mysignature, specify the logical AND operator between the rules.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule-logic and
severity-level (IPS policy view)
Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.
Use undo severity-level to restore the default.
Syntax
severity-level { critical | high | low | medium } *
undo severity-level
Default
The severity level attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
Each IPS signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.
This command filters the IPS signatures that an IPS policy uses based on the severity level attribute of the signatures.
You can specify multiple severity levels in a severity level criterion. The IPS policy uses an IPS signature if the signature matches any of the specified severity levels.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the critical and medium severity levels.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] severity-level critical medium
severity-level (IPS signature view)
Use severity-level to set a severity level criterion for a user-defined IPS signature.
Use undo severity-level to restore the default.
Syntax
severity-level { critical | high | low | medium }
undo severity-level
Default
The severity level of a user-defined IPS signature is low.
Views
User-defined IPS signature view
Predefined user roles
network-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the severity level to medium for user-defined IPS signature mysignature.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] severity medium
signature override
Use signature override to change the status and actions for an IPS signature in an IPS policy.
Use undo signature override to restore the default status and actions for an IPS signature in an IPS policy.
Syntax
signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }
undo signature override { pre-defined | user-defined } signature-id
Default
Predefined IPS signatures use the actions and states defined by the system.
User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
pre-defined: Specifies a predefined IPS signature.
user-defined: Specifies a user-defined IPS signature.
signature-id: Specifies an IPS signature ID. For a predefined IPS signature, the value range is 1 to 536870911. For a user-defined IPS signature, the value range is 536870913 to 1073741823.
disable: Disables the IPS signature.
enable: Enables the IPS signature.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
This command is available only for user-defined IPS policies. The signature actions and status in the default IPS policy cannot be modified.
If you execute this command for a signature in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
ips parameter-profile
ips policy
signature override all
signature override all
Use signature override all to specify the IPS actions for an IPS policy.
Use undo signature override all to restore the default.
Syntax
signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *
undo signature override all
Default
No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
Use this command to specify the global packet processing actions for an IPS policy.
Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.
The system selects the actions for packets matching an IPS signature in the following order:
1. Actions configured for the IPS signature in the IPS policy (by using the signature override command).
2. Actions configured for the IPS policy.
3. Default actions of the IPS signature.
Examples
# Specify actions drop, logging, and capture for IPS policy test.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] signature override all drop logging capture
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
ips parameter-profile
signature override
signature-id
Use signature-id to add an IPS signature ID to an IPS whitelist entry.
Use undo signature-id to restore the default.
Syntax
signature-id sig-id
undo signature-id
Default
No signature ID exists in an IPS whitelist entry.
Views
IPS whitelist entry view
Predefined user roles
network-admin
Parameters
sig-id: Specifies an IPS signature ID, in the range of 1 to 4294967294.
Usage guidelines
If false alarms exist in IPS logs, use this command to add an IPS signature ID to an IPS whitelist entry. The IPS signature ID is recorded in the IPS log. The device permits packets matching the IPS signatures on the IPS whitelist to pass through, reducing false alarms.
If both a signature ID and URL exist in the IPS whitelist entry, a packet matches the IPS whitelist entry only when both the signature ID and URL are matched.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add IPS signature 936 to IPS whitelist entry 1.
<Sysname> system-view
[Sysname] ips whitelist 1
[Sysname-ips-whitelist-1] signature-id 936
Related commands
source-address (IPS whitelist entry view)
url
source-address (IPS whitelist entry view)
Use source-address to add a source IP address to an IPS whitelist entry.
Use undo source-address to restore the default.
Syntax
source-address { ip ipv4-address | ipv6 ipv6-address }
undo source-address
Default
No source IP address exists in an IPS whitelist entry.
Views
IPS whitelist entry view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies an IPv4 address.
ipv6 ipv6-address: Specifies an IPv6 address.
Usage guidelines
If false alarms exist in IPS logs, use this command to add a source IP address to an IPS whitelist entry. The source IP address is recorded in the IPS log. The device permits packets matching the source IP addresses on the IPS whitelist to pass through, reducing false alarms.
If an IPS whitelist entry contains a signature ID, URL, and source IP address, or two of them, a packet matches this entry only when it matches all configured criteria.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add source IP address 192.168.0.1 to IPS whitelist entry 1.
<Sysname> system-view
[Sysname] ips whitelist 1
[Sysname-ips-whitelist-1] source-address ip 192.168.0.1
Related commands
signature-id
url
source-address (user-defined IPS signature rule view)
Use source-address to specify a source address filtering criterion in a user-defined IPS signature rule.
Use undo source-address to restore the default.
Syntax
source-address ip ip-address
undo source-address
Default
No source IP address exists.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv4 address. It is used to match the packet source IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In rule 1 of user-defined IPS signature mysignature, specify the keyword type as the match pattern type and specify source IP address 10.1.1.1 as a filtering criterion.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] source-address ip 10.1.1.1
source-port
Use source-port to specify a source port filtering criterion in a user-defined signature rule.
Use undo source-port to restore the default.
Syntax
source-port start-port [ to end-port ]
undo source-port
Default
No source ports are specified as the filtering criteria in a user-defined signature rule.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
start-port: Specifies the start port number of a source port range, in the range of 1 to 65535.
to end-port: Specifies the end port number of a source port range, in the range of 1 to 65535. If you do not specify this option, only the start port number is specified.
Usage guidelines
The port numbers are used to match the source port numbers of the specified transport layer protocol.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In rule 1 of user-defined IPS signature mysignature, specify the keyword type as the match pattern type and specify the source port range as 1 to 3550.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] source-port 1 to 3550
statistics signature-hit enable
Use statistics signature-hit enable to enable IPS signature hit counting.
Use undo statistics signature-hit enable to disable IPS signature hit counting.
Syntax
statistics signature-hit enable
undo statistics signature-hit enable
Default
IPS signature hit counting is disabled.
Views
IPS policy view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to collect hit statistics for each IPS signature. You can view IPS signature hit statistics on the Web interface of the device.
Examples
# Enable IPS signature hit counting in IPS policy policy.
<Sysname> system-view
[Sysname] ips policy policy
[Sysname-ips-policy-policy] statistics signature-hit enable
status
Use status to specify a default status criterion to filter IPS signatures in an IPS policy.
Use undo status to restore the default.
Syntax
status { disabled | enabled } *
undo status
Default
The default status attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
disabled: Specifies the signatures that are not recommended in the IPS signature library by default.
enabled: Specifies the signatures that are recommended in the IPS signature library by default.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the default status attribute of the IPS signatures.
The default status of an IPS signature indicates whether or not the IPS signature is recommended in the IPS signature library by default.
· Disabled IPS signatures—Not recommended IPS signatures, which apply only to special scenarios and are not universally applied.
· Enabled IPS signatures—Recommended IPS signatures, which are universally applied.
You can specify both default states. The IPS policy uses an IPS signature if the IPS signature matches either of the configured default status criteria.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy policy to use IPS signatures in enabled default status .
<Sysname> system-view
[Sysname] ips policy policy
[Sysname-ips-policy-policy] status enabled
trigger
Use trigger to create a detection trigger condition in a user-defined IPS signature rule.
Use undo trigger to delete a detection trigger condition from the user-defined IPS signature rule.
Syntax
trigger field field-name include { hex hex-string | text text-string } [ offset offset-value ] [ depth depth-value ]
undo trigger
Default
No detection trigger condition exists.
Views
User-defined IPS signature rule view
Predefined user roles
network-admin
Parameters
field-name: Specifies a protocol field by its name, in a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.
include: Matches contents that include the specified string.
hex hex-string: Specifies a case-sensitive hexadecimal string of 8 to 254 characters. Valid characters contain integers, and letters of A to F and a to f. An even number of characters are required, and enclose the characters with two vertical bars (|), for example |1234f5b6|.
text text-string: Specifies a case-insensitive text string of 3 to 255 characters.
offset offset-value: Specifies an offset in bytes after which the match operation starts, in the range of 1 to 65535. If you do not specify offset-value argument, the match operation starts from the beginning of the protocol field.
depth depth-value: Specifies the number of bytes to match, in the range of 3 to 65535. If you do not specify depth-value argument, the detection trigger condition detects the whole protocol field.
Usage guidelines
This command is available only for a user-defined signature rule of the keyword match pattern type. The device continues to compare a packet with detection items only after the packet matches the detection trigger condition in a rule. If a packet fails to match the detection trigger condition, the rule matching fails, and the detection items will not be compared.
In a signature rule of the keyword match pattern type, a detection trigger condition must be configured before detection item configuration.
If you delete the detection trigger condition, all detection items in the rule will also be deleted.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In user-defined IPS signature mysignature, create rule 1 for TCP and HTTP protocols and specify the keyword match pattern type. Create a detection item in the rule to match packets whose http-uri field includes abc. Specify the offset and depth as 10 bytes and 50 bytes, respectively.
<Sysname> system-view
[Sysname] ips signature user-defined name mysignature
[Sysname-ips-signature-mysignature] rule 1 l4-protocol tcp l5-protocol http pattern-type keyword
[Sysname-ips-signature-mysignature-rule-1] trigger field http-uri include text abc offset 10 depth 50
update schedule
Use update schedule to schedule the time for automatic IPS signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Parameters
daily: Updates the IPS signature library every day.
weekly: Updates the IPS signature library every week.
fri: Updates the IPS signature library every Friday.
mon: Updates the IPS signature library every Monday.
sat: Updates the IPS signature library every Saturday.
sun: Updates the IPS signature library every Sunday.
thu: Updates the IPS signature library every Thursday.
tue: Updates the IPS signature library every Tuesday.
wed: Updates the IPS signature library every Wednesday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
ips signature auto-update
url
Use url to add a URL to an IPS whitelist entry.
Use undo url to restore the default.
Syntax
url match-type { accurate | substring } url-text
undo url
Default
No URL exists in an IPS whitelist entry.
Views
IPS whitelist entry view
Predefined user roles
network-admin
Parameters
match-type: Specifies the match type.
accurate: Specifies the exact match. A match is found if the URL in the packet is exactly the same as the configured URL.
substring: Specifies the substring match. A match is found if the URL in the packet contains the configured URL.
url-text: Specifies a URL, a case-insensitive string of 3 to 460 characters.
Usage guidelines
If false alarms exist in IPS logs, use this command to add a URL to an IPS whitelist entry. The URL is recorded in the IPS log. The device permits packets matching the URLs on the IPS whitelist to pass through, reducing false alarms.
If both a signature ID and URL exist in the IPS whitelist entry, a packet matches the IPS whitelist entry only when both the signature ID and URL are matched.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add URL baidu.com to IPS whitelist entry 1, and specify the exact match type as the match type.
<Sysname> system-view
[Sysname] ips whitelist 1
[Sysname-ips-whitelist-1] url match-type accurate baidu.com
Related commands
ips whitelist activate
signature-id
source-address (IPS whitelist entry view)
