IDS rules identify traffic for which you want the router software to count events. Because IDS is based on stateful firewall properties, you must configure at least one stateful firewall rule and include it in the service set with the IDS rules; for more information, see Stateful Firewall Services Configuration Guidelines.
To configure an IDS rule, include the rule rule-name statement at the [edit services ids] hierarchy level:
-
rule rule-name {
-
match-direction (input | output | input-output);
-
-
term term-name {
-
-
from {
-
applications [ application-names ];
-
application-sets [ set-names ];
-
destination-address (address | any-unicast) <except>;
-
destination-address-range low minimum-value high maximum-value
- <except>;
-
destination-prefix-list list-name <except>;
-
source-address (address | any-unicast) <except>;
-
source-address-range low minimum-value high maximum-value <except>;
-
source-prefix-list list-name <except>;
- }
-
-
then {
-
-
aggregation {
-
destination-prefix prefix-value | destination-prefix-ipv6 prefix-value;
-
source-prefix prefix-value | source-prefix-ipv6 prefix-value;
- }
- (force-entry | ignore-entry);
-
-
logging {
-
syslog;
-
threshold rate;
- }
-
-
session-limit {
-
-
by-destination {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
-
by-pair {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
-
by-source {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
- }
-
-
syn-cookie {
-
mss value;
-
threshold rate;
- }
- }
- }
- }
Each IDS rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:
The following sections describe IDS rule content in more detail: