Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show services ids

Syntax

show services ids (destination-table | pair-table | source-table)<brief | extensive | terse><destination-prefix destination-prefix-name><interface interface-name> <limit number><order  (anomalies | bytes | flows | packets)><service-set service-set-name><source-prefix source-prefix-name><threshold number>

Release Information

Command introduced before Junos OS Release 7.4.

Description

Display information about intrusion detection service (IDS) events. All events gathered by IDS are reported as anomalies. For example, events such as create forward or watch flow, FTP passive, and FTP active are genuinely allowed by the stateful firewall but are logged as anomalies to track the rates and number for these events.

Options

destination-table

Display information for an address under possible attack.

pair-table

Display information for a particular suspected attack source and destination address pair.

source-table

Display information for an address that is a suspected attacker.

brief | extensive | terse

(Optional) Display the specified level of output.

destination-prefix destination-prefix-name

(Optional) Display information for a particular destination prefix.

interface interface-name

(Optional) On M Series and T Series routers, the interface-name can be sp-fpc/pic/port or rspnumber. On J Series routers, the interface-name is sp-pim/0/port.

limit number

(Optional) Maximum number of entries to display. By default, all tables display the top 32 entries sorted by the number of events for the criteria chosen. To display additional entries, configure the limit option to set up to 256 entries.

order

(Optional) Display events according to one of the following table-ordering criteria. The default is anomalies.

  • anomalies—Display information for particular anomalies.
  • bytes—Order output by number of bytes received.
  • flows—Order output by number of flows.
  • packets—Order output by number of packets received.
service-set service-set-name

(Optional) Display information about a particular service set.

source-prefix source-prefix-name

(Optional) Display information about a particular source prefix.

threshold number

(Optional) Limit the display to events with this number of anomalies, bytes, flows, or packets, whichever criterion you specify for order. For example, to display all events with more than 100 flows, specify order flows and threshold 100.

Required Privilege Level

view

List of Sample Output

show services ids destination-table
show services ids destination-table extensive
show services ids destination-table extensive order anomalies
show services ids pair-table extensive
show services ids pair-table extensive limit
show services ids source-table extensive
show services ids source-table extensive limit

Output Fields

Table 1 lists the output fields for the show services ids command. Output fields are listed in the approximate order in which they appear.

Table 1: show services ids Output Fields

Field Name

Field Description

Output Level

Interface

Name of an adaptive services interface.

All levels

Service set

Name of a service set. Individual empty service sets are not displayed, but if no service set has any flows, a flow table header is printed for each service set.

All levels

Sorting order

Primary mode to display information: Anomalies, Bytes, Flows, or Packets.

All levels

Source address

Name of the source address.

All levels

Dest address

Name of the destination address.

All levels

Time

Total time the information has been in the table.

All levels

Flags

Flags can be Forced, F (terse output only), SYNcookie, S (terse output only), Forced+SYNcookie, and F+S (terse output only). The SYNcookie flag is visible only in the destination table.

All levels

Application

Configured application, such as FTP or Telnet.

All levels

Bytes

Total number of bytes sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Packets

Total number of packets sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Flows

Total number of flows of packets sent from the source to the destination address, in thousands (k) or millions (m).

All levels

Anomalies

Total number of packets in the anomaly table, in thousands (k) or millions (m).

All levels

Anomaly description

One or more of the following types of anomalies. For more information, see the detailed descriptions in the stateful firewall section of the Junos OS System Log Messages Reference.

  • First packet of TCP session not SYN
  • ICMP echo request dropped, because sequence number duplicated
  • ICMP echo reply dropped. No matching sequence number
  • ICMP echo request dropped. Too many echo requests without echo reply
  • ICMP header length check failed
  • ICMP packet length greater than 64K
  • IP fragment assembly timeout
  • IP fragment length error
  • IP fragment overlap
  • IP packet length greater than 64K
  • IP packet too short
  • IP packet with broadcast destination address
  • IP packet with checksum error
  • IP packet with incorrect length
  • IP packet with TTL equal to 0

extensive

Anomaly description (continued)

  • IP packet with version other than 4
  • Land attack (IP src address = dest address)
  • No matching SFW rule; attempting to create discard flow
  • Number of open sessions exceeds IDS limit; packet dropped
  • Packet rate exceeds IDS limit; packet dropped
  • Session creation rate exceeds IDS limit; packet dropped
  • SFW application message too long
  • SFW discard packet contains non-configured IP option types
  • SFW drop packet because of discard flow
  • SFW dropped TCP watch packet
  • SFW rules request FTP active mode data packets to be accepted; attempting to create forward flow
  • SFW rules request FTP passive mode data packets to be accepted; attempting to create forward flow
  • SFW rules request packet to be accepted; attempting to create forward or watch flow
  • SFW rules request packet to be discarded; attempting to create discard flow
  • SFW rules request packet to be rejected; attempting to create reject flow
  • SFW discard flow requires packet to be dropped
  • SFW SYN defense
  • Smurf attack (ping to IP broadcast address)
  • TCP FIN/RST or SYN/(URG|FIN|RST) flags set
  • TCP header length check failed
  • TCP port scan (port not in LISTEN state)
  • TCP seq number zero and FIN/PSH/RST flags set
  • TCP seq number zero and no flags set
  • TCP source or destination port zero
  • TCP SYN flood attack
  • UDP header length check failed
  • UDP port scan (port not in LISTEN state)
  • UDP source or destination port zero

extensive

Count

Number of times that a particular anomaly occurred, in thousands (k) or millions (M).

extensive

Rate (eps)

Anomaly events per second. The IDS subsystem attempts to maintain a weighted average of rates, which might not reflect the exact incoming rate of attack at low rates. However, at high rates exceeding 160 events per second, the rates generally match.

extensive

Elapsed

Time since the same type of event last occurred.

extensive

Total IDS table entries

Number of entries in the IDS table. This number is not necessarily the sum of all entries displayed.

All levels

Total failed IDS table entry insertions

Number of IDS entries not allowed into the table because the table was full

All levels

Total number of events (closed flows and anomalies detected)

Total number of events since the system was started or since the show ids services command was executed.

All levels

Sample Output

show services ids destination-table

user@host> show services ids destination-table 
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address       Dest address   Time    Flags             Application

any             ->   10.58.255.146   36m12s SYN cookie
  Bytes:   35.0 m, Packets:  822.0 k, Flows:  274.0 k, Anomalies: 2251.0 k


Total IDS table entries: 87
Total failed IDS table entry insertions 0
Total number of events (closed flows and anomalies detected): 2606018

show services ids destination-table extensive

user@host> show services ids destination-table extensive 
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address       Dest address   Time    Flags             Application

any             ->   10.58.255.146   35m52s SYN cookie
  Bytes:   34.0 m, Packets:  798.0 k, Flows:  266.0 k, Anomalies: 2251.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    First packet of TCP session not SYN             160.0 k       0       14s
    TCP source or destination port zero             634.0 k   154.6     3m37s
    UDP source or destination port zero             633.0 k   170.0     3m37s
    ICMP header length check failed                    2875     0.9     3m37s
    IP fragment assembly timeout                    820.0 k    12.8     3m18s
    UDP header length check failed                      385     0.5     3m53s
    TCP header length check failed                      383     0.5     3m53s

Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2598063

show services ids destination-table extensive order anomalies

user@host> show services ids destination-table extensive order anomalies 
Interface: sp-0/2/0, Service set: ss1
IDS sorting order: Anomalies
Source address       Dest address      Time Flags             Application
15.1.1.1        ->    15.99.1.1           1m28s               junos-ftp
  Bytes: 1065, Packets: 18, Flows: 1, Anomalies: 10
   Anomaly description                               Count   Rate(eps)  Elapsed
   creating forward or watch flow                      1     15.6       1m28s
   Number of open sessions exceeds IDS limit           9      0.8         18s

Total IDS table entries:                                    3                   
Total failed IDS table entry insertions                     0                   
Total number of events (closed flows and anomalies):        11

show services ids pair-table extensive

user@host> show services ids pair-table extensive 
Interface: sp-3/2/0, Service set: ss_all_limits
IDS sorting order: Packets
Source address       Dest address      Time Flags             Application
15.1.1.4        ->      15.99.1.4     2m20s                  junos-ftp                 
  Bytes: 5.7k, Packets: 102.0, Flows: 41.0, Anomalies: 462.0
    Anomaly description                               Count     Rate   Elapsed
    creating forward or watch flow                     41.0      8.8     2m17s        
    Packet rate exceeds IDS src limit                  21.0      7.1     2m17s        
    Session creation rate exceeds IDS src limit       359.0     99.7     2m16s        
    TCP SYN flood attack                               41.0      1.9     1m30s        
        

Total IDS table entries:                                    3                   
Total failed IDS table entry insertions                     0                   
Total number of events (closed flows and anomalies):        462

show services ids pair-table extensive limit

user@host> show services ids pair-table extensive limit 3 
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address       Dest address   Time    Flags             Application
10.58.255.18    ->   10.58.255.146   38m41s SYN cookie
  Bytes:  286.0 m, Packets: 2823.0 k, Flows:  324.0 k, Anomalies:  387.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    First packet of TCP session not SYN             160.0 k     0.1       25s
    TCP source or destination port zero              69.0 k    14.1     6m26s
    UDP source or destination port zero              68.0 k    12.7     6m26s
    ICMP header length check failed                     318     0.1      7m6s
    IP fragment assembly timeout                     88.0 k     1.3      6m7s
    UDP header length check failed                       39     0.0     6m58s
    TCP header length check failed                       46     0.0     6m45s

10.58.255.23    ->   10.58.255.146   18m48s SYN cookie
  Bytes:  104.0 m, Packets:  421.0 k, Flows:      230, Anomalies:  124.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    TCP source or destination port zero              37.0 k     9.8     6m26s
    UDP source or destination port zero              37.0 k     8.4     6m26s
    IP fragment assembly timeout                     48.0 k     1.0      6m7s
    ICMP header length check failed                     190     0.2     6m47s
    UDP header length check failed                       29     0.0     6m51s
    TCP header length check failed                       23     0.0     6m59s

10.58.255.25    ->   10.58.255.146   18m48s SYN cookie
  Bytes:  104.0 m, Packets:  420.0 k, Flows:      232, Anomalies:  123.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    TCP source or destination port zero              37.0 k     9.8      6m26s
    UDP source or destination port zero              37.0 k     8.6      6m26s
    IP fragment assembly timeout                     48.0 k     1.5       6m7s
    ICMP header length check failed                     173     0.1      6m43s
    UDP header length check failed                       24     0.0      6m43s
    TCP header length check failed                       19     0.0      6m56s

Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2659291

show services ids source-table extensive

user@host> show services ids source-table extensive 
Interface: sp-3/2/0, Service set: ss_all_limits
IDS sorting order: Packets
Source address       Dest address      Time Flags             Application
15.1.1.4        ->            any     2m43s                  junos-ftp                 
  Bytes: 5.7k, Packets: 102.0, Flows: 41.0, Anomalies: 462.0
    Anomaly description                               Count     Rate   Elapsed
    creating forward or watch flow                     41.0      8.8     2m40s        
    Packet rate exceeds IDS src limit                  21.0      7.1     2m40s        
    Session creation rate exceeds IDS src limit       359.0     99.7     2m39s        
    TCP SYN flood attack                               41.0      1.9     1m53s        
        

Total IDS table entries:                                    3                   
Total failed IDS table entry insertions                     0                   
Total number of events (closed flows and anomalies):        462

show services ids source-table extensive limit

user@host> show services ids source-table extensive limit 3 
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address       Dest address   Time    Flags             Application

10.58.255.18    ->             any   40m 0s SYN cookie
  Bytes:  250.0 m, Packets: 1978.0 k, Flows:  356.0 k, Anomalies:  387.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    TCP source or destination port zero              37.0 k     9.8     6m26s
    First packet of TCP session not SYN             160.0 k     0.0       40s
    TCP source or destination port zero              69.0 k    62.5     7m45s
    UDP source or destination port zero              68.0 k    56.2     7m45s
    ICMP header length check failed                     319     0.1     7m49s
    IP fragment assembly timeout                     89.0 k     4.4     7m26s
    UDP header length check failed                       39     0.0     8m17s
    TCP header length check failed                       46     0.0      8m4s

10.58.255.30    ->             any   20m 7s SYN cookie
  Bytes:  107.0 m, Packets:  427.0 k, Flows:      264, Anomalies:  125.0 k    
    Anomalies                                       Count   Rate(eps) Elapsed
    UDP source or destination port zero              38.0 k    65.5     7m45s
    TCP source or destination port zero              37.0 k    38.1     7m45s
    IP fragment assembly timeout                     49.0 k     4.1     7m26s
    TCP header length check failed                       24     0.0     9m23s
    ICMP header length check failed                     165     0.1      8m6s
    UDP header length check failed                       26     0.0     8m13s

10.58.255.17    ->             any   20m10s SYN cookie
  Bytes:  107.0 m, Packets:  426.0 k, Flows:      262, Anomalies:  125.0 k
    Anomalies                                       Count   Rate(eps) Elapsed
    TCP source or destination port zero              38.0 k    55.      7m45s
    UDP source or destination port zero              38.0 k    55.1     7m45s
    ICMP header length check failed                     147    0.1      7m50s
    IP fragment assembly timeout                     49.0 k    2.8      7m26s
    TCP header length check failed                       22    0.0      9m33s
    UDP header length check failed                       22    0.0       8m1s
Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2691423
Interface: sp-1/3/0, Service set: blue
NAT pool                  Address                   Port         Ports in use
d2-pool             10.59.16.100-10.59.16.100     4000-4002          1

Published: 2013-01-30

Supported Platforms

Published: 2013-01-30

Previous Page Next Page