Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show services ids

 

Syntax

Release Information

Command introduced before Junos OS Release 7.4.

Description

Display information about intrusion detection service (IDS) events. All events gathered by IDS are reported as anomalies. For example, events such as create forward or watch flow, FTP passive, and FTP active are genuinely allowed by the stateful firewall but are logged as anomalies to track the rates and number for these events.

Options

destination-tableDisplay information for an address under possible attack.
pair-tableDisplay information for a particular suspected attack source and destination address pair.
source-tableDisplay information for an address that is a suspected attacker.
brief | extensive | terse(Optional) Display the specified level of output.
destination-prefix destination-prefix-name(Optional) Display information for a particular destination prefix.
interface interface-name(Optional) On M Series and T Series routers, the interface-name can be sp-fpc/pic/port or rspnumber.
limit number(Optional) Maximum number of entries to display. By default, all tables display the top 32 entries sorted by the number of events for the criteria chosen. To display additional entries, configure the limit option to set up to 256 entries.
order(Optional) Display events according to one of the following table-ordering criteria. The default is anomalies.
  • anomalies—Display information for particular anomalies.

  • bytes—Order output by number of bytes received.

  • flows—Order output by number of flows.

  • packets—Order output by number of packets received.

service-set service-set-name(Optional) Display information about a particular service set.
source-prefix source-prefix-name(Optional) Display information about a particular source prefix.
threshold number(Optional) Limit the display to events with this number of anomalies, bytes, flows, or packets, whichever criterion you specify for order. For example, to display all events with more than 100 flows, specify order flows and threshold 100.

Required Privilege Level

view

List of Sample Output

show services ids destination-table

show services ids destination-table extensive

show services ids destination-table extensive order anomalies

show services ids pair-table extensive

show services ids pair-table extensive limit

show services ids source-table extensive

show services ids source-table extensive limit

Output Fields

Table 1 lists the output fields for the show services ids command. Output fields are listed in the approximate order in which they appear.

Table 1: show services ids Output Fields

Field Name

Field Description

Output Level

Interface

Name of an adaptive services interface.

All levels

Service set

Name of a service set. Individual empty service sets are not displayed, but if no service set has any flows, a flow table header is printed for each service set.

All levels

Sorting order

Primary mode to display information: Anomalies, Bytes, Flows, or Packets.

All levels

Source address

Name of the source address.

All levels

Dest address

Name of the destination address.

All levels

Time

Total time the information has been in the table.

All levels

Flags

Flags can be Forced, F (terse output only), SYNcookie, S (terse output only), Forced+SYNcookie, and F+S (terse output only). The SYNcookie flag is visible only in the destination table.

All levels

Application

Configured application, such as FTP or Telnet.

All levels

Bytes

Total number of bytes sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Packets

Total number of packets sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Flows

Total number of flows of packets sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Anomalies

Total number of packets in the anomaly table, in thousands (k) or millions (m).

All levels

Anomaly description

One or more of the following types of anomalies. For more information, see the detailed descriptions in the stateful firewall section of the System Log Explorer.

  • First packet of TCP session not SYN

  • ICMP echo request dropped, because sequence number duplicated

  • ICMP echo reply dropped. No matching sequence number

  • ICMP echo request dropped. Too many echo requests without echo reply

  • ICMP header length check failed

  • ICMP packet length greater than 64K

  • IP fragment assembly timeout

  • IP fragment length error

  • IP fragment overlap

  • IP packet length greater than 64K

  • IP packet too short

  • IP packet with broadcast destination address

  • IP packet with checksum error

  • IP packet with incorrect length

  • IP packet with TTL equal to 0

extensive

Anomaly description (continued)

  • IP packet with version other than 4

  • Land attack (IP src address = dest address)

  • No matching SFW rule; attempting to create discard flow

  • Number of open sessions exceeds IDS limit; packet dropped

  • Packet rate exceeds IDS limit; packet dropped

  • Session creation rate exceeds IDS limit; packet dropped

  • SFW application message too long

  • SFW discard packet contains non-configured IP option types

  • SFW drop packet because of discard flow

  • SFW dropped TCP watch packet

  • SFW rules request FTP active mode data packets to be accepted; attempting to create forward flow

  • SFW rules request FTP passive mode data packets to be accepted; attempting to create forward flow

  • SFW rules request packet to be accepted; attempting to create forward or watch flow

  • SFW rules request packet to be discarded; attempting to create discard flow

  • SFW rules request packet to be rejected; attempting to create reject flow

  • SFW discard flow requires packet to be dropped

  • SFW SYN defense

  • Smurf attack (ping to IP broadcast address)

  • TCP FIN/RST or SYN/(URG|FIN|RST) flags set

  • TCP header length check failed

  • TCP port scan (port not in LISTEN state)

  • TCP seq number zero and FIN/PSH/RST flags set

  • TCP seq number zero and no flags set

  • TCP source or destination port zero

  • TCP SYN flood attack

  • UDP header length check failed

  • UDP port scan (port not in LISTEN state)

  • UDP source or destination port zero

extensive

Count

Number of times that a particular anomaly occurred, in thousands (k) or millions (M).

extensive

Rate (eps)

Anomaly events per second. The IDS subsystem attempts to maintain a weighted average of rates, which might not reflect the exact incoming rate of attack at low rates. However, at high rates exceeding 160 events per second, the rates generally match.

extensive

Elapsed

Time since the same type of event last occurred.

extensive

Total IDS table entries

Number of entries in the IDS table. This number is not necessarily the sum of all entries displayed.

All levels

Total failed IDS table entry insertions

Number of IDS entries not allowed into the table because the table was full

All levels

Total number of events (closed flows and anomalies detected)

Total number of events since the system was started or since the show ids services command was executed.

All levels

Sample Output

show services ids destination-table

user@host> show services ids destination-table

show services ids destination-table extensive

user@host> show services ids destination-table extensive

show services ids destination-table extensive order anomalies

user@host> show services ids destination-table extensive order anomalies

show services ids pair-table extensive

user@host> show services ids pair-table extensive

show services ids pair-table extensive limit

user@host> show services ids pair-table extensive limit 3

show services ids source-table extensive

user@host> show services ids source-table extensive

show services ids source-table extensive limit

user@host> show services ids source-table extensive limit 3