Technical Documentation

Verifying the APE Rulebase

Purpose

When you are initially verifying APE rulebase functionality in your lab, you can use the scio utility to view APE-related process statistics. The counters should increase or decrement in accordance with your test load.

Action

To view APE-related statistics in the CLI:

  1. Log into the CLI as admin and enter su - to switch to root.
  2. Use the commands described in the following table to verify APE rulebase functionality.

Table 1: APE-Related scio Commands

Command Syntax

Usage and Examples

scio ape-stats s0

Displays counts related to the APE rulebase rules where the action has been set to Rate Limit. For each applicable rule, the counter displays the rate limit, current utilization, and dropped packet count for both client-to-server (c2s), server-to-client (s2c) flows.


[root@defaulthost admin]# scio ape-stats s0 
Rule  C2S(Mb)  S2C(MB)  C2S bytes   S2C bytes  C2S pkts   S2C pkts C2S D-pkts  S2C D-pkts C2S-flows S2C-flows
1         100          10             2622002        1234           75615        123           73866           0                   1           1

scio var -s s0 sc_ape_flow_table

Displays the flow table for any current sessions where the rate-limit action is applied:


[root@defaulthost admin]# scio var -s s0 sc_ape_flow_table
sc_ape_flow_table:
|   Source IP   |  Port | Destination IP |  Port |FSt| Dir |Xtra info| VLAN | Timeout | Rule-index |
|---------------+-------+----------------+-------+---+-----+---------+------+---------+----------- |
[10.10.0.227       1050] [67.99.176.30        80]  R   CTS  Estblshd  0      3589/3600  1
[67.99.176.30        80] [10.10.0.227       1050]  R   STC  Estblshd  0      3589/3600  1
[10.157.5.2        1722] [10.157.6.234        80]  R   CTS  Estblshd  0      3586/3600  1

Tip: You can also use sctop to view the flow table for sessions where matching APE rate-limit rules. With sctop, use the -o option.

Note: Collection of APE statistics is disabled by default. Use the following command to turn on collection:


scio const -s s0 set sc_enable_ape_stats 1

NSM Logs

In the regular course of security administration, you will use NSM logs to verify that the APE rulebase is operating as expected. When a session matches an APE rule, if you have enabled logging, IDP generates a log and the NSM collects the log so that you can view it in the NSM log viewer. APE logs can be identified and sorted by category Traffic and subcategory APE. The Action column indicates the action applied. If the action is rate-limiting, the log indicates the rate-limit applied, including whether the client-to-server or server-to-client rate limit was reached.

To view APE-related logs in NSM:

  1. In the NSM navigation tree, select Investigate > Log Viewer > Predefined.
  2. Click Traffic to display the predefined view of traffic logs, where APE logs are collected.
  3. Use NSM sorting and filtering features to locate APE-related logs.

Published: 2010-01-12