[edit security idp] Hierarchy Level
security {idp {active-policy policy-name;custom-attack {... the custom-attack subhierarchy
appears after the main [edit security idp] hierarchy ...}custom-attack-group group-name {group-members [ group-and-attack-names ];}dynamic-attack-group group-name {filters {category {values [ values ];}direction {values [ any client-to-server exclude-any exclude-client-to-server
exclude-server-to-client server-to-client ];}false-positives {values [ frequently occasionally rarely unknown ];}performance {values [ fast normal slow unknown ];}products {values [ values ];}recommended;service {values [ values ];}severity {values [ critical info major minor warning ];}type {values [ anomaly signature ];}}}idp-policy policy-name {... the idp-policy subhierarchy
appears after the main [edit security idp] hierarchy ...}security-package {automatic {enable;interval hours;start-time MM-DD.hh:mm;}url url;}sensor-configuration {... the sensor-configuration subhierarchy appears after the main [edit security idp] hierarchy ...}ssl-inspection {sessions number;}traceoptions {file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable |
no-world-readable>;}flag all;level severity;no-remote-trace;}} idp {custom-attack attack-name {attack-type {... the attack-type subhierarchy
appears after the main [edit security idp custom-attack attack-name] hierarchy level ...}recommended-action (close | close-client | close-server |
drop | drop-packet | ignore | none);severity (critical | info | major | minor |
warning);time-binding {count count-value;scope (destination | peer | source);}} custom-attack attack-name {attack-type {anomaly {direction (any | client-to-server | server-to-client);service service-name;shellcode (all | intel | no-shellcode | sparc);test test-condition;}chain {expression boolean-expression;member member-name {attack-type {(anomaly | signature);}}order;protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number;}rpc {program-number rpc-program-number;}tcp {minimum-port port-number maximum-port port-number;}udp {minimum-port port-number maximum-port port-number;}}reset;scope (session | transaction);}signature {context context-name;direction (any | client-to-server | server-to-client);negate;pattern signature-pattern;protocol {... the protocol subhierarchy
appears after the main [edit security idp custom-attack attack-name attack-type signature] hierarchy
level ...}protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number;}rpc {program-number rpc-program-number;}tcp {minimum-port port-number maximum-port port-number;}udp {minimum-port port-number maximum-port port-number;}}regexp regular-expression;shell-code (all | intel | no-shellcode | sparc);} signature {protocol {icmp {code {match (equal | greater-than | less-than | not-equal);value code-value;}data-length {match (equal | greater-than | less-than | not-equal);value data-length;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}type {match (equal | greater-than | less-than | not-equal);value type-value;}}ip {destination {match (equal | greater-than | less-than | not-equal);value hostname;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}ip-flags {(df | no-df);(mf | no-mf);(rb | no-rb);}protocol {match (equal | greater-than | less-than | not-equal);value transport-layer-protocol-id;}source {match (equal | greater-than | less-than | not-equal);value hostname;}tos {match (equal | greater-than | less-than | not-equal);value type-of-service-in-decimal;}total-length {match (equal | greater-than | less-than | not-equal);value length-of-ip-datagram;}ttl {match (equal | greater-than | less-than | not-equal);value time-to-live;}}tcp {ack-number {match (equal | greater-than | less-than | not-equal);value acknowledgment-number;}data-length {match (equal | greater-than | less-than | not-equal);value tcp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value port-number;}header-length {match (equal | greater-than | less-than | not-equal);value header-length;}mss {match (equal | greater-than | less-than | not-equal);value maximum-segment-size;}option {match (equal | greater-than | less-than | not-equal);value tcp-option;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}source-port {match (equal | greater-than | less-than | not-equal);value port-number;}tcp-flags {(ack | no-ack);(fin | no-fin);(psh | no-psh);(r1 | no-r1);(r2 | no-r2);(rst | no-rst);(syn | no-syn);(urg | no-urg);}urgent-pointer {match (equal | greater-than | less-than | not-equal);value urgent-pointer;}window-scale {match (equal | greater-than | less-than | not-equal);value window-scale-factor;}window-size {match (equal | greater-than | less-than | not-equal);value window-size;}}udp {data-length {match (equal | greater-than | less-than | not-equal);value udp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value port-number;}source-port {match (equal | greater-than | less-than | not-equal);value port-number;}}}}}}} idp {idp-policy policy-name {rulebase-exempt {rule rule-name {description text;match {attacks {custom-attack-groups [ group-names ];custom-attacks [ attack-names ];dynamic-attack-groups [ group-names ];predefined-attack-groups [ group-names ];predefined-attacks [ attack-names ];}destination-address [ names ];destination-except [ names ];from-zone zone-name;source-address [ names ];source-except [ names ];to-zone zone-name;}}}rulebase-ips {rule rule-name {description text;match {application application-name;attacks {custom-attack-groups [ group-names ];custom-attacks [ attack-names ];dynamic-attack-groups [ group-names ];predefined-attack-groups [ group-names ];predefined-attacks [ attack-names ];}destination-address [ addresses ];destination-except [ addresses ];from-zone zone-name;source-address [ addresses ];source-except [ addresses ];to-zone zone-name;}terminal;then {action {(close-client | close-client-and-server | close-server |
drop-connection | drop-packet | ignore-connection |
mark-diffserv value | no-action |
recommended);}ip-action {(ip-block | ip-close | ip-notify);log;target (destination-address | service | source-address |
source-zone | zone-service);timeout seconds;}notification {log-attacks {alert;}}severity (critical | info | major | minor | warning);}}}}} idp {sensor-configuration {application-identification {disable;(application-system-cache | no-application-system-cache);application-system-cache-timeout value;max-packet-memory value;max-sessions value;max-tcp-session-packet-memory value;max-udp-session-packet-memory value;}detector {protocol-name protocol-name {tunable-name tunable-name {tunable-value value;}}}flow {(allow-icmp-without-flow | no-allow-icmp-without-flow);fifo-max-size value;hash-table-size bytes;(log-errors | no-log-errors);max-timers-poll-ticks value;reject-timeout value;(reset-on-policy | no-reset-on-policy);udp-anticipated-timeout value;}global {(enable-all-qmodules | no-enable-all-qmodules);(enable-packet-pool | no-enable-packet-pool);memory-limit-percent percentage;(policy-lookup-cache | no-policy-lookup-cache);}ips {(detect-shellcode | no-detect-shellcode);fifo-max-size value;(ignore-regular-expression | no-ignore-regular-expression);log-supercede-min minimum-value;(pre-filter-shellcode | no-pre-filter-shellcode);(process-ignore-s2c | no-process-ignore-s2c);(process-override | no-process-override);process-port port-number;}log {cache-size size;suppression {disable;(include-destination-address | no-include-destination-address);max-logs-operate value;max-time-report value;start-log value;}}re-assembler {(ignore-memory-overflow | no-ignore-memory-overflow);ignore-reassembly-overflow;max-flow-mem value;max-packet-mem value;}}}}
