Configuring IDS Actions

To configure IDS actions, include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level:

then {

    aggregation {

        destination-prefix prefix-value;

        source-prefix prefix-value;

    }

    (force-entry | ignore-entry); 

    logging {

        syslog;

        threshold rate;

    }

    session-limit {

        by-destination {

            hold-time seconds;

            maximum number;

            packets number;

            rate number;

        }

        by-pair {

            hold-time seconds;

            maximum number;

            packets number;

            rate number;

        }

        by-source {

            hold-time seconds;

            maximum number;

            packets number;

            rate number;

        }

    }

    syn-cookie {

        mss value;

        threshold rate;

    }

}

You can configure the following possible actions:

• aggregation—The router aggregates traffic labeled with the specified source or destination prefixes before passing the events to IDS processing. This is helpful if you want to examine all the traffic connected with a particular source or destination host. To collect traffic with some other marker, such as a particular application or port, configure that value in the match conditions.

To configure aggregation prefixes, include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix or destination-prefix:

aggregation {

    destination-prefix prefix-value;

    source-prefix prefix-value;

}

The value of source-prefix and destination-prefix must be an integer between 1 and 32.

• force-entry—The entry is assured a permanent spot in IDS caches after one event is registered. By default, the IDS software does not record information about "good" packets that do not exhibit suspicious behavior. You can use the force-entry statement to record all traffic from a suspect host, even traffic that would not otherwise be counted.

ignore-entry ensures that all IDS events are ignored. You can use this statement to disregard all traffic from a host you trust, including any temporary anomalies that IDS would otherwise count as events.

To configure an entry behavior different from the default, include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

(force-entry | ignore-entry); 

• logging—The event is logged in the system log file.

To configure logging, include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

logging {

    syslog;

    threshold rate;

}

You can optionally include a threshold rate to trigger the generation of system log messages. The threshold rate is specified in events per second. IDS logs are generated once every 60 seconds for each anomaly that is reported. The logs are generated as long as the events continue.

• session-limit—The router limits open sessions when the specified threshold is reached.

To configure a threshold, include the session-limit statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

session-limit {

    by-destination {

        hold-time seconds;

        maximum number;

        packets number;

        rate number;

    }

    by-pair {

        hold-time seconds;

        maximum number;

        packets number;

        rate number;

    }

    by-source {

        hold-time seconds;

        maximum number;

        packets number;

        rate number;

    }

}

You configure the thresholds for flow limitation based on traffic direction:

• To limit the number of outgoing sessions from one internal host or subnet, configure the by-source statement.
• To limit the number of sessions between a pair of IP addresses, subnets, or applications, configure the by-pair statement.
• To limit the number of incoming sessions to one external public IP address or subnet, configure the by-destination statement.

You can configure the following threshold values:

• hold-time seconds—When the rate or packets measurement reaches the threshold value, stop all new flows for the specified number of seconds. Once hold-time is in effect, the traffic is blocked for the specified time even if the rate subsides below the specified limit. By default, hold-time has a value of 0; the range is 0 through 60 seconds.
• maximum number—Maximum number of open sessions per IP address or subnet per application. The range is 1 through 32,767.
• packets number—Maximum number of packets per second (pps) per IP address or subnet per application. The range is 4 through 2,147,483,647.
• rate number—Maximum number of sessions per second per IP address or subnet per application. The range is 4 through 32,767.

If you configure more than one source address at the [edit services ids rule rule-name term term-name from] hierarchy level, limits are applied for each source address independently. For example, the following configuration allows 20 connections from each source address, not 20 connections total. The same logic applies to destination-address and applications settings.

[edit services ids rule rule-name term term-name]

from {

    source-address 10.1.1.1;

    source-address 10.1.1.2;

}

then {

    session-limit by-source {

            maximum 20;

    }

}

   
NOTE: IDS limits are applied to packets that are accepted by stateful firewall rules. They are not applied to packets discarded or rejected by stateful firewall rules. For example, if the stateful firewall accepts 75 percent of the incoming traffic and the remaining 25 percent is rejected or discarded, the IDS limit applies only to 75 percent of the traffic.


 

• syn-cookie—The router activates SYN-cookie defensive mechanisms.

To configure SYN-cookie values, include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level:

syn-cookie {

    mss value;

    threshold rate;

}

If you enable SYN-cookie defenses, you must include both a threshold rate to trigger SYN-cookie activity and a Transmission Control Protocol (TCP) maximum segment size (MSS) value for TCP delayed binding. The threshold rate is specified in SYN attacks per second. By default, the TCP MSS value is 1500; the range is from 128 through 8192.