Technical Documentation

[edit security idp] Hierarchy Level

security {idp {active-policy policy-name;application-ddos application-name {connection-rate-threshold number;context context-name {exclude-context-values [ regular-expressions ];hit-rate-threshold number;max-context-values number;time-binding-count number;time-binding-period seconds;value-hit-rate-threshold seconds;}service (service-name | dns | http);}custom-attack {... the custom-attack subhierarchy appears after the main [edit security idp] hierarchy ...}custom-attack-group group-name {group-members [ group-and-attack-names ];}dynamic-attack-group group-name {filters {category {values [ values ];}direction {values [ any client-to-server exclude-any exclude-client-to-server exclude-server-to-client server-to-client ];}false-positives {values [ frequently occasionally rarely unknown ];}performance {values [ fast normal slow unknown ];}products {values [ values ];}recommended;service {values [ values ];}severity {values [ critical info major minor warning ];}type {values [ anomaly signature ];}}}idp-policy policy-name {... the idp-policy subhierarchy appears after the main [edit security idp] hierarchy ...}security-package {automatic {download-timeout minutes;enable;interval hours;start-time MM-DD.hh:mm;}install {ignore-version-check;}url url;}sensor-configuration {... the sensor-configuration subhierarchy appears after the main [edit security idp] hierarchy ...}traceoptions {file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;}flag all;level severity;no-remote-trace;}}  idp {custom-attack attack-name {attack-type {... the attack-type subhierarchy appears after the main [edit security idp custom-attack attack-name] hierarchy level ...}recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);severity (critical | info | major | minor | warning);time-binding {count count-value;scope (destination | peer | source);}}  custom-attack attack-name {attack-type {anomaly {direction (any | client-to-server | server-to-client);service service-name;shellcode (all | intel | no-shellcode | sparc);test test-condition;}chain {expression boolean-expression;member member-name {attack-type {anomaly {... same statements as at the [edit security idp custom-attack attack-name attack-type anomaly] hierarchy level ...}signature {... same statements as at the [edit security idp custom-attack attack-name attack-type signature] hierarchy level EXCEPT FOR ...protocol-binding {...}    # NOT valid at this level}}}order;protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number;}nested-application application-name;rpc {program-number rpc-program-number;}tcp {minimum-port port-number maximum-port port-number;}udp {minimum-port port-number maximum-port port-number;}}reset;scope (session | transaction);}signature {context context-name;direction (any | client-to-server | server-to-client);negate;pattern signature-pattern;protocol {... the protocol subhierarchy appears after the main [edit security idp custom-attack attack-name attack-type signature] hierarchy level ...}protocol-binding {... same statements as at the [edit security idp custom-attack attack-name attack-type chain protocol-binding] hierarchy level ...}regexp regular-expression;shell-code (all | intel | no-shellcode | sparc);}  signature {protocol {icmp {code {match (equal | greater-than | less-than | not-equal);value code-value;}data-length {match (equal | greater-than | less-than | not-equal);value data-length;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}type {match (equal | greater-than | less-than | not-equal);value type-value;}}ip {destination {match (equal | greater-than | less-than | not-equal);value hostname;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}ip-flags (df | no-df)  (mf | no-mf)  (rb | no-rb);protocol {match (equal | greater-than | less-than | not-equal);value transport-layer-protocol-id;}source {match (equal | greater-than | less-than | not-equal);value hostname;}tos {match (equal | greater-than | less-than | not-equal);value type-of-service-in-decimal;}total-length {match (equal | greater-than | less-than | not-equal);value length-of-ip-datagram;}ttl {match (equal | greater-than | less-than | not-equal);value time-to-live;}}tcp {ack-number {match (equal | greater-than | less-than | not-equal);value acknowledgment-number;}data-length {match (equal | greater-than | less-than | not-equal);value tcp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value port-number;}header-length {match (equal | greater-than | less-than | not-equal);value header-length;}mss {match (equal | greater-than | less-than | not-equal);value maximum-segment-size;}option {match (equal | greater-than | less-than | not-equal);value tcp-option;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}source-port {match (equal | greater-than | less-than | not-equal);value port-number;}tcp-flags (ack | no-ack)  (fin | no-fin)  (psh | no-psh)  (r1 | no-r1)  (r2 | no-r2)  (rst | no-rst)  (syn | no-syn)  (urg | no-urg);}urgent-pointer {match (equal | greater-than | less-than | not-equal);value urgent-pointer;}window-scale {match (equal | greater-than | less-than | not-equal);value window-scale-factor;}window-size {match (equal | greater-than | less-than | not-equal);value window-size;}}udp {data-length {match (equal | greater-than | less-than | not-equal);value udp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value port-number;}source-port {match (equal | greater-than | less-than | not-equal);value port-number;}}}}}}}  idp {idp-policy policy-name {rulebase-ddos {rule rule-name {description text;match {application (application-name | any | default);application-ddos {(application-name | adp);destination-address [ any names ];destination-except [ names ];from-zone (zone-name | any);source-address [ names ];source-except [ names ];to-zone zone-name;}then {action {(close-server | drop-connection | drop-packet | no-action);}ip-action {(ip-block | ip-close | ip-connection-rate-limit connections-per-second | ip-notify);log;timeout seconds;}notification {log-attacks {alert;}}}}}rulebase-exempt {rule rule-name {description text;match {attacks {custom-attack-groups [ group-names ];custom-attacks [ attack-names ];dynamic-attack-groups [ group-names ];predefined-attack-groups [ group-names ];predefined-attacks [ attack-names ];}destination-address [ any names ];destination-except [ names ];from-zone zone-name;source-address [ any names ];source-except [ names ];to-zone zone-name;}}}rulebase-ips {rule rule-name {description text;match {application application-name;attacks {custom-attack-groups [ group-names ];custom-attacks [ attack-names ];dynamic-attack-groups [ group-names ];predefined-attack-groups [ group-names ];predefined-attacks [ attack-names ];}destination-address [ any addresses ];destination-except [ addresses ];from-zone zone-name;source-address [ any addresses ];source-except [ addresses ];to-zone zone-name;}terminal;then {action {(close-client | close-client-and-server | close-server | drop-connection | drop-packet | ignore-connection | mark-diffserv value | no-action | recommended);}ip-action {(ip-block | ip-close | ip-connection-rate-limit connections-per-second | ip-notify);log;target (destination-address | service | source-address | source-zone | zone-service);timeout seconds;}notification {log-attacks {alert;}packet-log {pre-attack packets;post-attack packets;post-attack-timeout seconds;}}severity (critical | info | major | minor | warning);}}}}}  idp {sensor-configuration {application-identification {disable;(application-system-cache | no-application-system-cache);application-system-cache-timeout value;max-packet-memory value;max-sessions value;max-tcp-session-packet-memory value;max-udp-session-packet-memory value;}application-ddos {statistics {interval minutes {}}detector {protocol-name protocol-name {tunable-name tunable-name {tunable-value value;}}}flow {(allow-icmp-without-flow | no-allow-icmp-without-flow);fifo-max-size value;hash-table-size bytes;(log-errors | no-log-errors);max-timers-poll-ticks value;reject-timeout value;(reset-on-policy | no-reset-on-policy);udp-anticipated-timeout value;}global {(enable-all-qmodules | no-enable-all-qmodules);(enable-packet-pool | no-enable-packet-pool);gtp {(decapsulation | no-decapsulation);}memory-limit-percent percentage;(policy-lookup-cache | no-policy-lookup-cache);}ips {(detect-shellcode | no-detect-shellcode);fifo-max-size value;(ignore-regular-expression | no-ignore-regular-expression);log-supercede-min minimum-value;(process-ignore-s2c | no-process-ignore-s2c);(process-override | no-process-override);process-port port-number;}log {cache-size size;suppression {disable;(include-destination-address | no-include-destination-address);max-logs-operate value;max-time-report value;start-log value;}}packet-log {host {ip-address;port port-number;}max-sessions percentage;session-npkt value;source-address ip-address;total-memory percentage;}re-assembler {(ignore-memory-overflow | no-ignore-memory-overflow);(ignore-reassembly-memory-overflow | no-ignore-reassembly-memory-overflow);ignore-reassembly-overflow;max-flow-mem value;max-packet-mem value;}ssl-inspection {sessions number;}}}}

Published: 2010-04-28