User's Manual 150 Document #: LTRT-42060
Mediant 2600 E-SBC
Parameter Description
following syntax is supported:
A comma-separated list of Proxy Set IDs (e.g., 1,3,4)
A hyphen "-" indicates a range of Proxy Sets (e.g., 3,4-7 means
IDs 3, and 4 through 7)
A prefix of an exclamation mark "!"
means negation of the set (e.g.,
!3,4-7 means all indexes excluding 3, and excluding 4 through 7)
Notes:
Only the IP address of the Proxy Set is considered (not port).
If a Proxy Set has multiple IP addresses, the device considers the
Proxy Set as one entity and includes all its IP addresses in the
same IDS count.
Subnet
CLI: subnet
[IDSMatch_Subnet]
Defines the subnet to which the IDS Policy is assigned. This indicates
the subnets from where the attacks are coming from. The following
syntax can be used:
Basic syntax is a subnet in CIDR notation (e.g., 10.1.0.0/16 means
all sources with IP address in the range 10.1.0.0–10.1.255.255)
An IP address can be specified without the prefix length to refer to
the specific IP address.
Each subnet can be negated by prefixing it with "!", which means
all IP addresses outside that subnet.
Multiple subnets can be specified by separating them with "&"
(and) or "|" (or) operations. For example:
10.1.0.0/16 | 10.2.2.2: includes subnet 10.1.0.0/16 and IP
address 10.2.2.2.
!10.1.0.0/16 & !10.2.2.2: includes all addresses except those
of subnet 10.1.0.0/16 and IP address 10.2.2.2. Note that the
exclamation mark "!" appears before each subnet.
10.1.0.0/16 & !10.1.1.1: includes subnet 10.1.0.0/16, except IP
Policy
CLI: policy
[IDSMatch_Policy]
Assigns an IDS Policy (configured in ''Configuring IDS Policies'' on
page 145).
13.3.4 Viewing IDS Alarms
For the IDS feature, the device sends the following SNMP traps:
Traps that notify the detection of malicious attacks:
• acIDSPolicyAlarm: The device sends this alarm whenever a threshold of a
specific IDS Policy rule is crossed. The trap displays the crossed severity
threshold (Minor or Major), IDS Policy and IDS Rule, and the IDS Policy-Match
index.
• acIDSThresholdCrossNotification: The device sends this event for each scope
(IP address) that crosses the threshold. In addition to the crossed severity
threshold (Minor or Major) of the IDS Policy-Match index, this event shows the IP
address (or IP address:port) of the malicious attacker.
If the severity level is raised, the alarm of the former severity is cleared and the
device sends a new alarm with the new severity. The alarm is cleared after a
user-defined period (configured by the ini file parameter, IDSAlarmClearPeriod)
during which no thresholds have been crossed. However, this "quiet" period must
be at least twice the 'Threshold Window' value (configured in ''Configuring IDS
Policies'' on page 145). For example, if you set IDSAlarmClearPeriod to 20 sec
To Next Page
Loading...
Need help?
General
