Examples: Configuring IDS Rules

The following configuration adds a permanent entry to the IDS anomaly table when it encounters a flow with the destination address 10.410.6.2:

[edit services ids]rule simple_ids {term 1 {from {destination-address 10.410.6.2/32;}then {force-entry;logging {threshold 1;syslog;}}}term default {then {aggregation {source-prefix 24;}}}match-direction input;}

The IDS configuration works in conjunction with the stateful firewall mechanism and relies heavily on the anomalies reported by the stateful firewall. The following configuration example shows this relationship:

[edit services ids]rule simple_ids {term 1 {from {source-address 10.30.20.2/32;destination-address {10.30.10.2/32;10.30.1.2/32 except;}applications appl-ftp;}then {force-entry;logging {threshold 5;syslog;}syn-cookie {threshold 10;}}}match-direction input;}

The following example shows configuration of flow limits:

[edit services ids]rule ids-all {match-direction input;term t1 {from {application-sets alg-set;}then {aggregation {destination-prefix 30; /* IDS action aggregation */}logging {threshold 10;}session-limit {by-destination {hold-time 0;maximum 10;packets 200;rate 100;}by-pair {hold-time 0;maximum 10;packets 200;rate 100;}by-source {hold-time 5;maximum 10;packets 200;rate 100;}}}}}
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.