3.46. IntrusionPrevention

Home Prev	cOS Stream 4.00.05 CLI Reference Guide	Next

Description

Intrusion Prevention provides in-depth screening of packet content for both intruder detection and prevention purposes.

Properties

Comments: Text describing the current object. (Optional)

	Note
	This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.46.1. IPSRule

Description

An IPS Rule defines a filter for matching specific network traffic. When the filter criterion is met, the IPS Rule Actions are evaluated and possible actions are taken.

Properties

Name: Specifies a symbolic name for the IPS rule. (Optional)
SourceInterface: Specifies the name of the receiving interface to be compared to the received packet.
DestinationInterface: Specifies the destination interface to be compared to the received packet.
SourceNetwork: Specifies the span of IP addresses to be compared to the source of received packet.
DestinationNetwork: Specifies the span of IP addresses to be compared to the destination of received packet.
Service: Specifies a service that will be used as a filter parameter when matching traffic with this rule.
URIInvalidUTF8: Specifies the action taken if an invalid UTF8 URI is found. (Default: DropLog)
URIInvalidHEX: Specifies the action taken if an invalid HEX encoding URI is found. (Default: DropLog)
URIDoubleEnc: Specifies the action taken if an double encoding URI is found. (Default: Ignore)
ScanLimit: Enable scan limit, i.e. stop IPS scanning after a defined number of bytes. Consult the admin guide regarding the risks of turning this option on. (Default: No)
ScanLimitBytes: Stop IPS scanning after this many bytes. (Default: 800)
Comments: Text describing the current object. (Optional)

	Note
	If no `Index` is specified when creating an instance of this type, the object will be placed last in the list and the `Index` will be equal to the length of the list.

3.46.1.1. IPSRuleAction

Description

An IPS Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found.

Properties

Action: Specifies the action taken if a matching signature is found. (Default: Protect)
LogSeverity: Specifies the severity used for log messages if the action type allows logging. (Default: Warning)
SignatureCategory: Specifies what signature categories should be included. "*" is supported. (Optional)
SignatureGroup: Specifies the configured signature groups to be included. (Optional)
Comments: Text describing the current object. (Optional)

	Note
	If no `Index` is specified when creating an instance of this type, the object will be placed last in the list and the `Index` will be equal to the length of the list.

3.46.2. IPSSignatureGroup

Description

An IPS Signature Group specifies a set of signatures according to filters. The signatures are filtered in the following way: (IncludeVendorSignature OR IncludeCustomSignature OR IncludeSignatureGroup OR IncludeCategory) AND FilterByCVE AND FilterBySeverity AND FilterByString AND CreatedAfter.

Properties

Name: Specifies a symbolic name for the IPS signature group. (Identifier)
IncludeVendorSignature: Includes the signatures based on vendor signature identifier(SID). (Optional)
IncludeCustomSignature: Includes the signatures based on custom signature identifier(SID). (Optional)
IncludeSignatureGroup: Includes one or more signature groups to the group. (Optional)
IncludeCategory: Includes the signatures from the specified categories. "*" is supported. (Optional)
FilterByCVE: Filters selected signatures based on defined CVE ID. (Optional)
FilterBySeverity: Filters selected signatures based on severity level. (Optional)
FilterByString: Filters selected signatures based on searching specific string in signature message and content. (Optional)
CreatedAfter: Filters selected signatures if signature creation date is newer than defined. (Optional)
Comments: Text describing the current object. (Optional)