Assigning IDS Policies

The IDS Matches table lets you implement your configured IDS Policies. You do this by assigning IDS Policies to any, or a combination of the following configuration entities:

■

SIP Interface: For detection of malicious attacks on specific SIP Interface(s). To configure SIP Interfaces, see Configuring SIP Interfaces.

■

Proxy Sets: For detection of malicious attacks from specified Proxy Set(s). To configure Proxy Sets, see Configuring Proxy Sets.

■

Subnet addresses: For detection of malicious attacks from specified subnet addresses.

You can configure up to 20 IDS Policy-Matching rules.

The following procedure describes how to configure the IDS Match table through the Web interface. You can also configure it through ini file [IDSMatch] or CLI (configure voip > ids match).

➢

To configure an IDS Policy-Matching rule:

Open the IDS Matches table (Setup menu > Signaling & Media tab > Intrusion Detection folder > IDS Matches).

Click New; the following dialog box appears:

The figure above shows a configuration example where the IDS Policy "SIP Trunk" is applied to SIP Interfaces 1 and 2, and to all source IP addresses outside of subnet 10.1.0.0/16 and IP address 10.2.2.2.

Configure a rule according to the parameters described in the table below.

Click Apply, and then save your settings to flash memory.

IDS Matches Table Parameter Descriptions

Parameter

Description

'Index'

[Index]

Defines an index number for the new table record.

'SIP Interface IDs'

sip-interface

[SIPInterface]

Assigns a SIP Interface(s) to the IDS Policy. This indicates the SIP Interfaces that are being attacked.

The valid value is the ID of the SIP Interface. The following syntax is supported:

■

A comma-separated list of SIP Interface IDs (e.g., 1,3,4)

■

A hyphen (-) indicates a range of SIP Interfaces (e.g., 3,4-7 means IDs 3, and 4 through 7)

■

A prefix of an exclamation mark (!) means negation of the set (e.g., !3,4-7 means all indexes excluding 3, and excluding 4 through 7)

'Proxy Set IDs'

proxy-set

[ProxySet]

Assigns a Proxy Set(s) to the IDS Policy. This indicates the Proxy Sets from where the attacks are coming from. The following syntax is supported:

■

A comma-separated list of Proxy Set IDs (e.g., 1,3,4)

■

A hyphen (-) indicates a range of Proxy Sets (e.g., 3,4-7 means IDs 3, and 4 through 7)

■

A prefix of an exclamation mark (!) means negation of the set (e.g., !3,4-7 means all indexes excluding 3, and excluding 4 through 7)

Note:

■

Only the IP address of the Proxy Set is considered (not port).

■

If a Proxy Set has multiple IP addresses, the device considers the Proxy Set as one entity and includes all its IP addresses in the same IDS count.

'Subnet'

subnet

[Subnet]

Defines the subnet to which the IDS Policy is assigned. This indicates the subnets from where the attacks are coming from. The following syntax can be used:

■

Basic syntax is a subnet in CIDR notation (e.g., 10.1.0.0/16 means all sources with IP address in the range 10.1.0.0–10.1.255.255)

■

An IP address can be specified without the prefix length to refer to the specific IP address.

■

Each subnet can be negated by prefixing it with (!), which means all IP addresses outside that subnet.

■

Multiple subnets can be specified by separating them with "&" (and) or "|" (or) operations (without quotation marks), for example:

✔

10.1.0.0/16 | 10.2.2.2: includes subnet 10.1.0.0/16 and IP address 10.2.2.2.

✔

!10.1.0.0/16 & !10.2.2.2: includes all addresses except those of subnet 10.1.0.0/16 and IP address 10.2.2.2. Note that the exclamation mark (!) appears before each subnet.

✔

10.1.0.0/16 & !10.1.1.1: includes subnet 10.1.0.0/16, except IP address 10.1.1.1.

'Policy'

policy

[Policy]

Assigns an IDS Policy (configured in Configuring IDS Policies).