rule
This command configures the IDS Rule table, which lets you define IDS rules. The table is a child of the IDS Policies table.
Syntax
(config-voip)# ids policy <Index> (policy-<Index>)# ids rule <Index> (rule-<Index>/<Index>)#
|
Command |
Description |
|---|---|
|
Index |
Defines the table row index. |
|
critical-alrm-thr |
Defines the threshold that if crossed a critical severity alarm is sent. |
|
deny-period |
Defines the duration (in sec) to keep the attacker on the blacklist, if configured using deny-thr. |
|
deny-thr |
Defines the threshold that if crossed, the device blocks (blacklists) the remote host (attacker). |
|
major-alrm-thr |
Defines the threshold that if crossed a major severity alarm is sent. |
|
minor-alrm-thr |
Defines the threshold that if crossed a minor severity alarm is sent. |
|
reason {abnormal-flow|any|auth-failure|connection-abuse|establish-fail|malformed-msg} |
Defines the type of intrusion attack. |
|
threshold-scope {global |ip|ip-port} |
Defines the source of the attacker to consider in the device's detection count. |
|
threshold-window |
Defines the threshold interval (in seconds) during which the device counts the attacks to check if a threshold is crossed. |
Command Mode
Privileged User
Example
This example configures this IDS policy rule: If 15 malformed SIP messages are received within a period of 30 seconds, a minor alarm is sent. Every 30 seconds, the rule’s counters are cleared. If more than 25 malformed SIP messages are received within this period, the device blacklists for 60 seconds the remote IP host from where the messages were received:
(config-voip)# ids policy 0 (policy-0)# ids rule 1 (rule-0/1)# reason malformed-msg (rule-0/1)# threshold-scope ip (rule-0/1)# threshold-window 30 (rule-0/1)# deny-thr 25 (rule-0/1)# deny-period 60 (rule-0/1)# minor-alrm-thr 15 (rule-0/1)# major-alrm-thr 20 (rule-0/1)# critical-alrm-thr 25 (rule-0/1)# activate