Intrusion Detection Services Configuration Guidelines
The Adaptive Services Physical Interface Card (AS PIC) supports a limited set of intrusion detection services (IDS) to perform attack detection. You can use IDS to perform the following tasks:
- Detect various types of denial-of-service (DoS) and directed denial-of-service (DDoS) attacks.
- Detect attempts at network scanning and probing.
- Detect anomalies in traffic patterns, such as sudden bursts or a decline in bandwidth.
- Prevent some types of attacks.
- Redirect attack traffic to a collector for analysis.
The IDS configuration allows you to focus the attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. Signature detection is not supported.
To configure intrusion detection services, you include the following statements at the [edit services] hierarchy level of the configuration:
[edit services]
ids {
rule rule-name {
match-direction (input | output | input-output);
term term-name {
from {
applications [ application-names ];
application-sets [ set-names ];
destination-addressaddress;
source-addressaddress;
}
then {
aggregation{
destination-prefixprefix-value;
source-prefixprefix-value;
}
(force-entry|ignore-entry);
logging {
syslog;
threshold rate;
}
syn-cookie {
mss value;
threshold rate;
}
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
}
 |
NOTE: The JUNOS software uses stateful firewall settings as a basis for performing IDS. You must commit a stateful firewall configuration in the same service set for IDS to function properly. |
This chapter describes the following tasks for configuring intrusion detection services: