Intrusion Detection Service Configuration Guidelines

[Contents] [Prev] [Next] [Index] [Report an Error]

The Adaptive Services (AS) or MultiServices PIC supports a limited set of intrusion detection services to perform attack detection. You can use IDS to perform the following tasks:

Detect various types of denial-of-service (DoS) and directed denial-of-service (DDoS) attacks.
Detect attempts at network scanning and probing.
Detect anomalies in traffic patterns, such as sudden bursts or a decline in bandwidth.
Prevent some types of attacks.
Redirect attack traffic to a collector for analysis.
Specify thresholds for limiting the number of flows, the packet rate, and the session rate.

The intrusion detection service (IDS) configuration allows you to focus the attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. Signature detection is not supported.

To configure IDS, include the ids statement at the [edit services] hierarchy level:



ids {



rule rule-name {

match-direction (input | output | input-output);



term term-name {



rule {

applications [ application-names ];

application-sets [ set-names ];

destination-address (address | any-unicast) <except>;

destination-address-range low minimum-value high maximum-value <except>;

destination-prefix-list list-name <except>;

source-address (address | any-unicast) <except>;

source-address-range low minimum-value high maximum-value

     <except>;

source-prefix-list list-name <except>;
}





then {



aggregation {

destination-prefix prefix-value | destination-prefix-ipv6 prefix-value;

source-prefix prefix-value | source-prefix-ipv6 prefix-value;
}


(force-entry | ignore-entry); 



logging {

syslog;

threshold rate;
}





session-limit {



by-destination {
hold-time seconds;
maximum number;
packets number;
rate number;
}





by-pair {
hold-time seconds;
maximum number;
packets number;
rate number;
}





by-source {
hold-time seconds;
maximum number;
packets number;
rate number;
}


}





syn-cookie {

mss value;

threshold rate;
}


}


}


}





rule-set rule-set-name {
[ rule rule-names ];
}


}

Note: The JUNOS software uses stateful firewall settings as a basis for performing IDS. You must commit a stateful firewall configuration in the same service set for IDS to function properly.

This chapter describes the following tasks for configuring intrusion detection service:

[Contents] [Prev] [Next] [Index] [Report an Error]