ESR series service routers.ESR-Series. User manual
Step Description Command Keys
5 Specify the given rule force. esr(config-ips-category-
rule-advanced)# rule-text
<LINE>
<CONTENT> – text message in SNORT 2.X/
Suricata 4.X format, specified by a string of up to
1024 characters.
6 Activate a rule. esr(config-ips-category-
rule-advanced)# enable
13.6.8 Extended user rules configuration example
Objective:
Write a rule detecting attack like Slowloris.
Solution:
Create a set of user rules:
esr(config)# security ips-category user-defined ADV
Create an extended rule:
esr(config-ips-category)# rule-advanced 1
esr(config-ips-category-rule-advanced)# description "Slow Loris rule 1"
esr(config-ips-category-rule-advanced)# rule-text 'alert tcp any any -> any 80 (msg:"Possible
Slowloris Attack Detected"; flow:to_server,established; content:"X-a|3a|"; distance:0; pcre:"/
\d\d\d\d/"; distance:0; content:"|0d 0a|"; sid:10000001;)'
Create another extended rule that works on a similar algorithm to determine which rule will be more effective:
esr(config-ips-category)# rule-advanced 2
esr(config-ips-category-rule-advanced)# description "Slow Loris rule 2"
esr(config-ips-category-rule-advanced)# rule-text 'alert tcp $EXTERNAL_NET any -> $HOME_NET
$HTTP_PORTS (msg:"SlowLoris.py DoS attempt"; flow:established,to_server,no_stream; content:"X-
a:"; dsize:<15; detection_filter:track by_dst, count 3, seconds 30; classtype:denial-of-
service; sid: 10000002; rev:1; )'
13.7 Eltex Distribution Manager interaction configuration
EDM (Eltex Distribution Manager) is a service for distributing licensed content to devices via commercial
subscription.
Using Kaspersky Lab's security infrastructure, including the Kaspersky Security Network cloud-based
'collective intelligence' with Kaspersky SafeStream II support, the ESR service router is able to detect malware
When writing rules,only double quotes
(symbol ") must be used in the text of the
rule, and the rule itself must be enclosed
in single quotes (symbol ').
To Next Page
Loading...