IDS rules identify traffic for which you want the router software to count events. Because IDS is based on stateful firewall properties, you must configure at least one stateful firewall rule and include it in the service set with the IDS rules; for more information, see Stateful Firewall Services Configuration Guidelines.
To configure an IDS rule, include the rule rule-name statement at the [edit services ids] hierarchy level:
- [edit services ids]
- rule rule-name {
- match-direction (input | output | input-output);
-
- term term-name {
-
- from {
- application-sets set-name;
- applications [ application-names ];
- destination-address (address | any-unicast) <except>;
- destination-address-range low minimum-value high maximum-value <except>;
- destination-prefix-list list-name <except>;
- source-address (address | any-unicast) <except>;
- source-address-range low minimum-value high maximum-value <except>;
- source-prefix-list list-name <except>;
- }
-
- then {
-
- aggregation {
- destination-prefix prefix-value | destination-prefix-ipv6 prefix-value;
- source-prefix prefix-value | source-prefix-ipv6 prefix-value;
- }
- (force-entry | ignore-entry);
-
-
- session-limit {
-
- by-destination {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-pair {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-source {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
- }
-
- syn-cookie {
- mss value;
- threshold rate;
- }
- }
- }
- }
Each IDS rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:
The following sections describe IDS rule content in more detail:
Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. To configure where the match is applied, include the match-direction (input | input-output | output) statement at the [edit services ids rule rule-name] hierarchy level:
- [edit services ids rule rule-name]
- match-direction (input | output | input-output);
If you configure match-direction input-output, bidirectional rule creation is allowed.
The match direction is used with respect to the traffic flow through the AS or MultiServices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or MultiServices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces.
On the AS or MultiServices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that match the packet direction are considered.
To configure IDS match conditions, include the from statement at the [edit services ids rule rule-name term term-name] hierarchy level:
- [edit services ids rule rule-name term term-name]
- from {
- application-sets set-name;
- applications [ application-names ];
- destination-address (address | any-unicast) <except>;
- destination-address-range low minimum-value high maximum-value <except>;
- destination-prefix-list list-name <except>;
- source-address (address | any-unicast) <except>;
- source-address-range low minimum-value high maximum-value <except>;
- source-prefix-list list-name <except>;
- }
If you omit the from statement, the software accepts all events and places them in the IDS cache for processing.
The source address and destination address can be either IPv4 or IPv6. You can use the destination address, a range of destination addresses, a source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the JUNOS Policy Framework Configuration Guide.
Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the IDS rule. For an example, see Examples: Configuring Stateful Firewall Rules.
You can also include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see Applications Configuration Guidelines.
 |
Note: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions. |
If a match occurs on an application, the application protocol is displayed separately in the show services ids command output. For more information, see the JUNOS System Basics and Services Command Reference.
To configure IDS actions, include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level:
- [edit services ids rule rule-name term term-name]
- then {
-
- aggregation {
- destination-prefix prefix-value | destination-prefix-ipv6 prefix-value;
- source-prefix prefix-value | source-prefix-ipv6 prefix-value;
- }
- (force-entry | ignore-entry);
-
-
- session-limit {
-
- by-destination {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-pair {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-source {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
- }
-
- syn-cookie {
- mss value;
- threshold rate;
- }
- }
You can configure the following possible actions:
To configure aggregation prefixes, include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix, destination-prefix source-prefix-ipv6, or destination-prefix-ipv6:
- [edit services ids rule rule-name term term-name then]
- aggregation {
- destination-prefix prefix-value | destination-prefix-ipv6 prefix-value;
- source-prefix prefix-value | source-prefix-ipv6 prefix-value;
- }
The value of source-prefix and destination-prefix must be an integer between 1 and 32. The value of source-prefix-ipv6 and destination-prefix-ipv6 must be an integer between 1 and 128.
ignore-entry ensures that all IDS events are ignored. You can use this statement to disregard all traffic from a host you trust, including any temporary anomalies that IDS would otherwise count as events.
To configure an entry behavior different from the default, include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
- [edit services ids rule rule-name term term-name then]
- (force-entry | ignore-entry);
To configure logging, include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
You can optionally include a threshold rate to trigger the generation of system log messages. The threshold rate is specified in events per second. IDS logs are generated once every 60 seconds for each anomaly that is reported. The logs are generated as long as the events continue.
To configure a threshold, include the session-limit statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
- [edit services ids rule rule-name term term-name then]
- session-limit {
-
- by-destination {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-pair {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
- by-source {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
- }
You configure the thresholds for flow limitation based on traffic direction:
For each direction, you can configure the following threshold values:
If you include more than one source address in the match conditions configured at the [edit services ids rule rule-name term term-name from] hierarchy level, limits are applied for each source address independently. For example, the following configuration allows 20 connections from each source address (10.1.1.1 and 10.1.1.2), not 20 connections total. The same logic applies to the applications and destination-address match conditions.
- [edit services ids rule rule-name term term-name]
- from {
-
- source-address 10.1.1.1;
- source-address 10.1.1.2;
- }
- then {
-
- session-limit by-source {
-
- maximum 20;
- }
- }
|
Note: IDS limits are applied to packets that are accepted by stateful firewall rules. They are not applied to packets discarded or rejected by stateful firewall rules. For example, if the stateful firewall accepts 75 percent of the incoming traffic and the remaining 25 percent is rejected or discarded, the IDS limit applies only to 75 percent of the traffic. |
To configure SYN-cookie values, include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level:
If you enable SYN-cookie defenses, you must include both a threshold rate to trigger SYN-cookie activity and a Transmission Control Protocol (TCP) maximum segment size (MSS) value for TCP delayed binding. The threshold rate is specified in SYN attacks per second. By default, the TCP MSS value is 1500; the range is from 128 through 8192.