The following configuration adds a permanent entry to the IDS anomaly table when it encounters a flow with the destination address 10.410.6.2:
- [edit services ids]
- rule simple_ids {
-
- term 1 {
-
- from {
- destination-address 10.410.6.2/32;
- }
-
- then {
- force-entry;
-
- logging {
- threshold 1;
- syslog;
- }
- }
- }
-
- term default {
-
- then {
-
- aggregation {
- source-prefix 24;
- }
- }
- }
- match-direction input;
- }
The IDS configuration works in conjunction with the stateful firewall mechanism and relies heavily on the anomalies reported by the stateful firewall. The following configuration example shows this relationship:
- [edit services ids]
- rule simple_ids {
-
- term 1 {
-
- from {
- source-address 10.30.20.2/32;
-
- destination-address {
- 10.30.10.2/32;
- 10.30.1.2/32 except;
- }
- applications appl-ftp;
- }
-
- then {
- force-entry;
-
- logging {
- threshold 5;
- syslog;
- }
-
- syn-cookie {
- threshold 10;
- }
- }
- }
- match-direction input;
- }
The following example shows configuration of flow limits:
- [edit services ids]
- rule ids-all {
- match-direction input;
-
- term t1 {
-
- from {
- application-sets alg-set;
- }
-
- then {
-
- aggregation {
- destination-prefix 30; /* IDS action aggregation */
- }
-
- logging {
- threshold 10;
- }
-
- session-limit {
-
- by-destination {
- hold-time 0;
- maximum 10;
- packets 200;
- rate 100;
- }
-
- by-pair {
- hold-time 0;
- maximum 10;
- packets 200;
- rate 100;
- }
-
- by-source {
- hold-time 5;
- maximum 10;
- packets 200;
- rate 100;
- }
- }
- }
- }
- }