Configure IDS Actions

To configure IDS actions, include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level:

[edit services ids rule rule-name term term-name]

then {

    aggregation {

        destination-prefix prefix-value;

        source-prefix prefix-value;

    }

    (force-entry | ignore-entry); 

    logging {

        syslog;

        threshold rate;

    }

    syn-cookie {

        mss value;

        threshold rate;

    }

}

You can configure the following possible actions:

• aggregation—The router aggregates traffic labeled with the specified source or destination prefixes before passing the events to IDS processing. This is helpful if you want to examine all the traffic connected with a particular source or destination host. To collect traffic with some other marker, such as a particular application or port, configure that value in the match conditions.

To configure, include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix or destination-prefix:

[edit services ids rule rule-name term term-name then]

aggregation {

    destination-prefix prefix-value;

    source-prefix prefix-value;

}

The range for the source-prefix and destination-prefix statements is restricted to integers from 1 through 32.

• force-entry—The entry is assured a permanent spot in IDS caches after one event is registered. By default, the IDS software does not record information about "good" packets that do not exhibit suspicious behavior. You can use the force-entry statement to record all traffic from a suspect host, even traffic that would not otherwise be counted.

ignore-entry ensures that all IDS events are ignored. You can use this statement to disregard all traffic from a host you trust, including any temporary anomalies that IDS would otherwise count as events.

To configure, include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

[edit services ids rule rule-name term term-name then]

(force-entry | ignore-entry); 

• logging—The event is logged in the system log file.

To configure, include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

[edit services ids rule rule-name term term-name then]

logging {

    syslog;

    threshold rate;

}

You can optionally include a threshold rate to trigger logging activity or activate the generation of system log messages. The threshold rate is specified in events per second.

• syn-cookie—The router activates syn-cookie defensive mechanisms.

To configure, include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

[edit services ids rule rule-name term term-name then]

syn-cookie {

    mss value;

    threshold rate;

}

If you enable syn-cookie defenses, you must include both a threshold rate to trigger syn-cookie activity and a TCP maximum sequence selection (MSS) value for TCP delayed binding. The threshold rate is specified in SYN attacks per second. By default, the TCP MSS value is 1500; the range is 128 through 8192.